How to Create Secure Passwords

What Makes a Password Secure

A secure password is one that resists guessing attacks, brute force attempts, and dictionary-based cracking methods. The fundamental goal of a strong password is to make it computationally infeasible for an attacker to discover it within a reasonable timeframe. Modern computers can attempt billions of password combinations per second, which means weak passwords can be cracked in seconds.

Several factors contribute to password security. The most important is length, followed by the size of the character set used, and finally the unpredictability of the character sequence. A password that uses a mix of uppercase letters, lowercase letters, numbers, and special symbols from a large pool of characters is inherently harder to crack than one that uses only lowercase letters.

However, security is not just about mathematical strength. A password must also be resistant to social engineering attacks. This means avoiding personal information like birthdays, pet names, or favorite sports teams that an attacker might discover through research. The best password is one that is both mathematically strong and completely unrelated to your personal life.

Another critical factor is uniqueness. Using the same password across multiple sites means that if one site is breached, all your accounts become vulnerable. Credential stuffing attacks rely on people reusing passwords across services. Each account should have its own unique password that is not derivable from passwords used on other sites.

Length vs Complexity

There is an ongoing debate in the security community about whether password length or complexity matters more. The mathematical reality is clear: length wins. Each additional character in a password multiplies the number of possible combinations, while adding more character types only adds a multiplicative factor.

Consider a password using only lowercase letters (26 characters). An 8-character password has 26^8 = 208 billion possible combinations. Adding uppercase, numbers, and symbols (roughly 95 printable characters) gives 95^8 = 6.6 quadrillion combinations. That sounds much better, but a 12-character lowercase-only password has 26^12 = 9.5 sextillion combinations — vastly more than the "complex" 8-character password.

Password Length Lowercase Only (26) Mixed Case (52) + Numbers (62) + Symbols (95)
6308 million19 billion56 billion735 billion
8208 billion53 trillion218 trillion6.6 quadrillion
10141 trillion144 quadrillion839 quadrillion59 quintillion
1295 quadrillion390 quintillion3.2 sextillion540 sextillion
1643 sextillion2.8 octillion47 octillion2.1 nonillion

This table demonstrates that a 16-character lowercase password is astronomically harder to crack than an 8-character password with all character types. The practical takeaway is to prioritize length. Aim for passwords of at least 12 characters, and preferably 16 or more. Complexity requirements should be secondary to length.

Modern NIST guidelines (SP 800-63B) have shifted to reflect this understanding. They now recommend long passwords without imposing arbitrary complexity rules like requiring uppercase, numbers, and symbols. The old rules often led to predictable patterns like "P@ssw0rd1" which are actually weaker than a longer but simpler passphrase.

Common Password Mistakes

Despite years of security awareness campaigns, people continue to make predictable password mistakes. Understanding these pitfalls is the first step toward creating truly secure credentials.

  • Using common passwords: Passwords like "123456", "password", "qwerty", and "letmein" appear in every breach database and are tried first in any attack. These can be cracked in under a second.
  • Simple substitutions: Replacing 'a' with '@' or 'o' with '0' (like "P@ssw0rd") is well-known to password crackers. Modern cracking tools automatically try these substitutions.
  • Appending numbers or symbols: Adding "1!" or "123" to the end of a word (like "Password123!") creates a predictable pattern that cracking tools specifically target.
  • Using personal information: Birthdays, anniversaries, names of children or pets, favorite teams, and addresses are all easily discoverable through social media and public records.
  • Short passwords: Anything under 8 characters can be brute-forced in minutes to hours with modern hardware, regardless of complexity.
  • Reusing passwords: Using the same password across multiple sites means a single breach compromises all your accounts. Credential stuffing attacks exploit this habit.
  • Writing passwords insecurely: Sticking passwords on monitors, saving them in plain text files, or emailing them to yourself defeats the purpose of having strong passwords.
  • Rotating passwords unnecessarily: Forced periodic password changes lead to predictable patterns like "Password2024", "Password2025". NIST now recommends against forced rotation.

The most dangerous mistake is assuming you are not a target. Automated attacks do not discriminate — they try billions of credentials against millions of accounts. Every online account is a potential target, regardless of how unimportant you think it might be.

Using Password Managers

A password manager is software that generates, stores, and auto-fills strong, unique passwords for all your accounts. It is arguably the single most important security tool you can use. Instead of memorizing dozens of passwords, you only need to remember one strong master password.

Password managers solve the fundamental problem of password security: humans are terrible at creating and remembering random strings. A password manager can generate passwords like kX9#mP2$vL7@nQ4w that are truly random and unique for every site, then fill them in automatically when you visit those sites.

Most password managers offer features beyond simple password storage. They can store secure notes, credit card information, and identity data. Many include password health reports that identify weak, reused, or compromised passwords in your vault. Some offer breach monitoring that alerts you if any of your stored credentials appear in known data breaches.

When choosing a password manager, consider factors like encryption standards (AES-256 is the minimum), zero-knowledge architecture (the provider cannot access your vault), cross-platform availability, and whether the source code is open for audit. Popular options include Bitwarden (open source), 1Password, KeePass (offline), and Dashlane.

The security of a password manager depends almost entirely on the strength of your master password. This is the one password you must memorize, and it should be exceptionally strong — ideally a passphrase of 4-6 random words totaling 20+ characters. Enable two-factor authentication on your password manager for an additional layer of protection.

Passphrases: A Better Approach

A passphrase is a password made up of multiple words strung together, such as "correct horse battery staple" (famously illustrated in an XKCD comic). Passphrases are easier to remember than random character strings while being mathematically stronger, making them the ideal solution for passwords you need to memorize.

The strength of a passphrase comes from its length. Even using only common English words, each word adds roughly 10-15 bits of entropy to the password. A four-word passphrase from a dictionary of 7776 words (the Diceware standard) provides about 51.7 bits of entropy — equivalent to a random 8-character password with all character types, but far easier to remember.

To create a strong passphrase:

  • Use at least 4-6 words, preferably 5 or more
  • Choose words randomly — do not construct a grammatically correct sentence
  • Use a word list or dice to select words rather than picking them from memory
  • Consider adding a number or special character somewhere in the middle, not just at the end
  • Avoid famous quotes, song lyrics, or book passages — these are in cracking dictionaries
  • The words should feel unrelated to each other when possible

A good technique is the Diceware method: roll five dice to generate a random number between 1 and 7776, then look up the corresponding word on the Diceware word list. Repeat this process 5-6 times to create your passphrase. This method ensures true randomness and makes the passphrase resistant to pattern-based attacks.

For accounts where you will use a password manager and never need to type the password manually, prefer random character strings of 16-20 characters. For passwords you must memorize (master password, laptop login, phone unlock), passphrases are the superior choice.

Understanding Password Entropy

Entropy is a measure of password strength expressed in bits. It quantifies the amount of randomness or uncertainty in a password. The higher the entropy, the harder the password is to crack. Understanding entropy helps you make informed decisions about password security.

The formula for calculating password entropy is: E = L × log₂(N), where L is the password length and N is the size of the character pool. For example, an 8-character password using 95 printable ASCII characters has entropy of 8 × log₂(95) = 8 × 6.57 = 52.6 bits.

Each bit of entropy doubles the number of possible passwords. A password with 40 bits of entropy has 2^40 (about 1 trillion) possible combinations. Adding one bit doubles this to 2 trillion. This exponential growth is why even small increases in entropy dramatically improve security.

Entropy (bits) Possible Combinations Approximate Strength
20~1 millionVery weak — crackable in seconds
30~1 billionWeak — crackable in minutes
40~1 trillionModerate — crackable in hours
50~1 quadrillionStrong — crackable in months
60~1 quintillionVery strong — crackable in centuries
80~1.2 × 10²⁴Excellent — practically uncrackable
128~3.4 × 10³⁸Maximum — uncrackable with any technology

For most purposes, aim for a minimum of 60 bits of entropy for important accounts (email, banking) and at least 40 bits for low-risk accounts. Your master password should have at least 80 bits of entropy. These thresholds assume current computing power — as hardware improves, entropy requirements will increase over time.

Best Practices Summary

Creating and maintaining secure passwords does not have to be complicated. Follow these evidence-based best practices to protect your accounts effectively.

Practice Why It Matters Implementation
Use a password manager Eliminates reuse and enables unique random passwords Install Bitwarden, 1Password, or similar
Minimum 12 characters Length is the primary factor in password strength 16+ characters for important accounts
Unique password per account Prevents credential stuffing attacks Let your password manager generate them
Enable two-factor authentication Protects even if password is compromised Use authenticator apps over SMS when possible
Use passphrases for memorized passwords Easier to remember, harder to crack 5+ random words, 20+ characters
Check for breaches regularly Early detection of compromised credentials Use haveibeenpwned.com or password manager alerts
Avoid password reuse One breach does not compromise all accounts Each site gets a completely unique password
Do not force periodic changes Prevents predictable rotation patterns Change only when breach is suspected

Tips for Different Account Types

Different accounts carry different levels of risk and require different security approaches. Tailoring your password strategy to the account type ensures you allocate your security effort where it matters most.

Email Accounts

Your email is the skeleton key to your digital life. If an attacker gains access to your email, they can reset passwords for virtually every other account you own. Use the strongest possible password for your primary email — a long passphrase or a 20+ character random string stored in your password manager. Enable two-factor authentication with a hardware key or authenticator app. Never use SMS-based 2FA for email if alternatives exist, as SIM swapping attacks can bypass SMS verification.

Financial Accounts

Banking, investment, and payment accounts directly protect your money. Use unique, random passwords of at least 16 characters for each financial account. Enable all available security features, including transaction alerts, biometric authentication, and hardware security keys where supported. Never access financial accounts from shared or public computers, and always verify you are on the legitimate website before entering credentials.

Social Media Accounts

While social media accounts may not directly protect financial assets, they are valuable targets for impersonation, spam distribution, and social engineering. A compromised social media account can be used to scam your contacts or damage your reputation. Use unique passwords and enable two-factor authentication. Be especially cautious about third-party applications that have access to your social media accounts — revoke access for apps you no longer use.

Work and Business Accounts

Professional accounts often contain sensitive business data, client information, and intellectual property. Follow your organization's password policies, but go beyond the minimum requirements. Use your company's approved password manager if available. Be particularly vigilant about phishing attempts targeting business credentials. If you manage a team, enforce strong password policies and provide security awareness training.

Low-Risk Accounts

For accounts that contain no sensitive information and have no financial implications (news sites, forums, recipe sites), you can use a less complex but still unique password generated by your password manager. A 12-character random password is sufficient for these accounts. The key principle remains: never reuse passwords, even for low-risk accounts, as they can serve as entry points for social engineering.