How to Create Strong Passwords (and Why Length Beats Complexity)
Most password advice people absorbed over the years — replace letters with symbols, change passwords every 90 days — is outdated. Modern guidance from NIST and security researchers is simpler and more effective: make passwords long, random, and unique, and let a manager remember them.
How Passwords Actually Get Cracked
Attackers rarely guess passwords one at a time on a login page. They steal hashed password databases and run offline attacks testing billions of candidates per second, starting with leaked-password lists, dictionary words, and common patterns like "Name@Year". A password like P@ssw0rd1! falls in milliseconds because every substitution trick is already in the cracking rulebooks.
What resists these attacks is entropy — genuine randomness. Each additional random character multiplies the search space; a truly random 16-character password with mixed character sets is beyond practical cracking with current hardware.
Length Beats Cleverness
A random 16-character password (around 100 bits of entropy) is astronomically stronger than a clever 8-character one (under 50 bits). If you must memorize a password, a passphrase of four or more random words — the famous "correct horse battery staple" pattern — offers strong entropy while staying human-friendly.
The critical caveat: the words must be genuinely random, not a meaningful phrase. Song lyrics and famous quotes are in every cracking dictionary.
Uniqueness Is Non-Negotiable
Credential stuffing — trying leaked email/password pairs on other sites — is the top account-takeover method. One reused password means one site’s breach compromises your email, banking, and social accounts simultaneously. Every account needs its own random password, which is only practical with a password manager.
A manager also neutralises phishing to a degree: it will not autofill your credentials on a lookalike domain.
Beyond Passwords
Enable two-factor authentication everywhere, preferring app-based codes or hardware keys over SMS. Where offered, adopt passkeys — cryptographic credentials bound to your device that cannot be phished or reused. And ignore forced periodic password changes: NIST now recommends changing passwords only when there is evidence of compromise.