Most people use passwords that are easy to remember — and easy to guess. Names, birthdays, pet names, “password123,” or the same password they use everywhere. This works fine until one of those sites gets breached and someone tries your email and password on every other site.
You do not need to be a security expert to have good passwords. You just need to understand what makes a password strong and have a method for creating ones you can actually remember.
What makes a password strong
A password’s strength depends on two things: how long it is and how unpredictable it is.
Length matters more than complexity. A 20-character password made of simple words is harder to crack than an 8-character password with lots of symbols and numbers. This is because longer passwords have more possible combinations, and brute-force attacks (trying every combination) take exponentially longer as the password gets longer.
Unpredictability matters. If your password is a common word, a name, a date, or a pattern on the keyboard (like “qwerty” or “123456”), it is weak no matter how long it is. Attackers try common words and patterns first.
A simple method: the passphrase approach
Instead of trying to remember something like “Xj9#kL2!mN,” create a passphrase — a string of random, unrelated words.
Here is how:
- Pick three or four random words
- Put them together
- Optionally add a number or symbol
Examples:
correct-horse-battery-staple(this is a famous example from the webcomic XKCD)purple-bicycle-kitchen-42mountain-paper-telephone-gardencoffee-window-river-7
These are long, hard to guess, and much easier to remember than random characters. You can picture a purple bicycle in a kitchen, or a coffee cup by a window overlooking a river. The mental image helps you remember.
What to avoid
Personal information. Your name, birthday, phone number, pet’s name, or partner’s name are all easy to find and should not be in your password.
Common words and patterns. “password,” “letmein,” “qwerty,” “abc123,” and “111111” are among the first things attackers try.
Short passwords. Anything under 12 characters is considered weak by modern standards. If your bank requires only 8 characters, use 16 or more anyway.
The same password everywhere. If one site gets breached, every site where you used that password is at risk. You need at least different passwords for your email, banking, and social media accounts — these are the ones that would cause the most harm if compromised.
Making it practical
You probably have dozens of accounts and you cannot remember 30 unique passphrases. Here are two approaches.
The best option: use a password manager. A password manager generates and stores a unique, strong password for every account. You only need to remember one master password — the manager handles the rest. Most browsers have a built-in password manager, and there are standalone apps like Bitwarden, 1Password, or KeePass. If you are not using one yet, this is the single most useful thing you can do for your password security.
If you prefer to manage passwords yourself. Use a different passphrase for your most important accounts — your email, your bank, and any account that stores payment information. These are the accounts where a breach would cause real problems.
For less important accounts, you can use a variation. If your main passphrase is “purple-bicycle-kitchen-42,” you could use “purple-bicycle-kitchen-42-news” for a news site and “purple-bicycle-kitchen-42-shop” for a shopping site. This is not as strong as completely unique passwords, but it is much better than using the same password everywhere.
Writing passwords down. If you struggle to remember passphrases, writing them down and keeping the paper in a safe place at home is a reasonable backup. This is not ideal — anyone with physical access to the paper could see them — but for most people, a written password in a drawer is safer than a weak password you can remember. Do not leave the list near your computer or in a shared space.
A concrete example
Suppose you need a password for your email account. You decide to use the passphrase method.
You pick four random words: window, turtle, orange, bridge.
Your base passphrase is: window-turtle-orange-bridge
To make it specific to your email: window-turtle-orange-bridge-email
This is 36 characters long, easy to remember (you can picture a turtle on a bridge holding an orange near a window), and unique to that account.
Things people get wrong
Adding numbers and symbols in predictable places. Changing “password” to “p@ssw0rd” does not make it strong. Attackers know about common substitutions like @ for a, 0 for o, and 1 for i.
Sharing passwords by email or text. If you need to share a password with someone, do it in person or over a phone call. Email and text messages are not secure ways to share passwords.
Never changing passwords. You do not need to change your passwords on a regular schedule (this advice is outdated). But you should change a password immediately if you hear that a service you use has been breached.
Other approaches
Passphrases work well for passwords you need to type and remember. If you want a more automated approach, a password manager can generate and store unique passwords for every account. This is generally the most secure option for people with many accounts.
The passphrase approach described here is a good alternative if you prefer to manage passwords yourself. The most important thing is that each important account has a different password — how you achieve that is less important than actually doing it.
Related guides
- How to Recognize a Phishing Email — recognizing phishing attempts that try to steal your passwords