Why Password Strength Still Matters
Despite years of awareness campaigns, weak and reused passwords remain one of the leading causes of account breaches. When a service you use gets hacked and your password is exposed, attackers try that same email and password combination across dozens of other sites — a technique called credential stuffing. If you reuse passwords, one breach can cascade into many.
Creating strong, unique passwords for every account is the single most impactful step most people can take to protect their online security.
What Makes a Password Strong?
A strong password has several key characteristics:
- Length: At least 12 characters; 16 or more is better. Length is the most important factor — each additional character increases complexity exponentially.
- Variety: A mix of uppercase letters, lowercase letters, numbers, and symbols.
- Unpredictability: No dictionary words, names, dates of birth, or predictable substitutions (like "p@ssw0rd").
- Uniqueness: Never reused across different accounts.
Three Methods for Creating Strong Passwords
Method 1: The Passphrase Approach
A passphrase is a string of several random words combined. For example: correct-horse-battery-staple. This approach is effective because:
- Long passphrases are extremely difficult to crack even without special characters.
- They're much easier to remember than a string of random characters.
- Aim for 4–6 random words (avoid using phrases from books or songs).
Method 2: Let a Password Manager Generate It
This is the recommended approach for most people. Password managers can generate completely random, high-entropy passwords (e.g., kT8#mXq2!rL9vP) and store them securely. You only need to remember one strong master password.
Method 3: A Personal Algorithm
Create a formula only you know. For example, take a base phrase, add the first two letters of the site name, and include a memorable number and symbol. This is less secure than a password manager but better than reusing simple passwords.
Using a Password Manager
A password manager is software that stores all your passwords in an encrypted vault. The benefits are significant:
- You only need to remember one master password.
- It can generate a unique, strong password for every account automatically.
- Most will alert you if a saved password appears in a known data breach.
- It auto-fills login forms, making the experience seamless.
Well-known password managers include Bitwarden (free and open-source), 1Password, and Dashlane. Your device's built-in manager (Apple Keychain, Google Password Manager) is also a solid option if you're just getting started.
Two-Factor Authentication: Your Second Line of Defence
Even the strongest password can be phished or leaked. Two-factor authentication (2FA) adds a second verification step — usually a code from an app like Google Authenticator or Authy — so that a stolen password alone is not enough to access your account.
Enable 2FA on every account that supports it, prioritising email, banking, and social media accounts.
Common Password Mistakes to Avoid
| Bad Practice | Why It's Risky |
|---|---|
| Using your name or birthday | Easily guessable with basic personal information |
| Reusing the same password | One breach exposes all accounts |
| Simple substitutions (@ for a) | Attackers account for these in their algorithms |
| Storing passwords in plain text | A compromised device exposes everything |
| Short passwords under 8 characters | Can be cracked quickly with modern hardware |
Getting Started Today
- Pick a password manager and set it up with a strong master passphrase.
- Start with your most critical accounts: email, banking, and work logins.
- Enable two-factor authentication wherever possible.
- Gradually update other accounts when you log into them naturally — you don't have to do it all at once.
Good password hygiene is one of those things that takes a small amount of effort upfront and then mostly runs itself. The protection it provides is well worth the time to set up.