Password Strength Tips
Practical, no-nonsense advice for creating passwords that hackers can't crack. Follow these tips and your accounts will be orders of magnitude more secure.
The 8 Rules of Strong Passwords
1
Make it long — 14 characters minimum
Length is the single most important factor in password strength. Each additional character multiplies the number of possible combinations exponentially. A 14-character password with mixed character types would take millions of years to crack by brute force. Aim for 16+ characters on your most important accounts.
2
Mix all four character types
Use lowercase letters, uppercase letters, numbers, and symbols. This expands the character pool from 26 (lowercase only) to 95 (all printable ASCII characters). At 10 billion guesses per second, an 8-character lowercase password falls in 21 seconds. Add all character types and that same length takes 6.5 hours. See the math.
3
Never reuse passwords across accounts
When a website gets hacked, attackers try stolen passwords on other sites (credential stuffing). If you reuse your email password on a small forum that gets breached, your email is now compromised too. Every account needs a unique password — no exceptions.
4
Avoid dictionary words and common patterns
Hackers don't just brute-force — they use wordlists containing millions of common passwords, dictionary words, names, dates, and keyboard patterns. "Sunshine2024!" looks complex but appears in most cracking dictionaries. Common substitutions like "@" for "a" or "0" for "o" are also well-known to attackers.
5
Use a password manager
No human can memorise dozens of unique, random, 16-character passwords. That's what password managers are for. Tools like Bitwarden (free), 1Password, or KeePass generate and securely store your passwords. You only need to remember one strong master password. This is the single most impactful thing you can do for your security.
6
Enable two-factor authentication (2FA)
Even the strongest password can be stolen through phishing or a server breach. 2FA adds a second layer — typically a code from an authenticator app or a hardware key. Even if an attacker has your password, they can't log in without the second factor. Enable it everywhere it's available, especially email and banking.
7
Don't include personal information
Your name, birthday, pet's name, address, phone number — all of these are either publicly available or easily guessed. Attackers routinely scrape social media for personal details and build targeted wordlists. A password should have zero connection to your identity.
8
Consider passphrases for memorable passwords
If you need a password you can remember (like your master password), use a passphrase — four or more random, unrelated words. "correct horse battery staple" is far stronger than "Tr0ub4dor&3" and much easier to remember. Add some capitals, numbers, or symbols between words for extra strength.
Do's and Don'ts at a Glance
Do
- Use 14+ random characters
- Use a different password per site
- Use a password manager
- Enable 2FA on all accounts
- Use random passphrases
- Check passwords against breach databases
Don't
- Use dictionary words or names
- Reuse passwords across sites
- Use personal info (birthdays, pets)
- Rely on simple substitutions (@ for a)
- Write passwords on sticky notes
- Share passwords via text or email
How Often Should I Change My Password?
The old advice of "change your password every 90 days" is outdated. NIST (the US National Institute of Standards and Technology) now recommends against mandatory periodic password changes because they lead people to use weaker, more predictable passwords.
Instead, change your password when:
- You suspect the account has been compromised
- A service you use reports a data breach
- You've been sharing the password with someone who no longer needs access
- Your current password is weak (test it with our password checker)
What About Password Generators?
Password generators built into password managers are the gold standard. They create truly random strings that are impossible to guess. The key is that you never need to memorise them — the password manager handles that. Let machines generate passwords and let machines store them.
Want to see how your current passwords stack up? Test your password strength with our free, private checker, or learn more about what makes a good password.
How Strong Is Your Password?
Put these tips to the test. Check your password strength instantly — 100% private, nothing leaves your browser.
Test Password Strength