How to Create Strong Passwords
The old rules — one capital, one number, change it every 90 days — are obsolete. Modern guidance is simpler and stronger: go long, never reuse, and let a tool remember.
Your password is the lock on your digital front door, and most people are still using a flimsy one. The advice you grew up with — cram in a capital letter, a number and a symbol, then change it every 90 days — has been quietly overturned by the people who set the standards. Modern guidance is simpler and far stronger: make passwords long, make every one unique, and let a tool remember them. Here is how to do exactly that.
Key takeaways
- Length beats complexity. A long passphrase like correct-harbor-mango-quilt is both easier to remember and harder to crack than P@ssw0rd1.
- Reuse is the real danger. One breached site exposes every account that shares that password — attackers test stolen logins everywhere (“credential stuffing”).
- Aim for at least 12–16 characters; current NIST guidance permits up to 64 and tells systems not to force complexity rules or routine resets.
- You cannot remember 100 unique strong passwords — a password manager is the real answer, and our password generator creates them instantly.
- Check your accounts at Have I Been Pwned, then switch on two-factor authentication for the accounts that matter.
Why length beats complexity
Every character you add to a password multiplies the number of combinations an attacker must try — and length adds far more security than swapping letters for symbols. The U.S. National Institute of Standards and Technology (NIST), whose Digital Identity Guidelines (SP 800-63B) underpin password policy worldwide, now makes this explicit. NIST tells systems to allow passwords of at least 64 characters, to support passphrases including spaces, and pointedly not to impose composition rules such as requiring mixed character types. Its latest revision goes further still, recommending a minimum of 15 characters where a password is the only protection on an account.
The reason is mathematical. Adding length expands the search space exponentially, while a predictable “complexity” tweak — a capital at the front, a 1 and a ! at the end — barely helps, because attackers know everyone does the same thing. NIST also retired the old habit of forcing routine password changes; it says systems should not require periodic resets and should only force a change when there is evidence the password has been compromised, because regular resets just push people toward weak, predictable variations.
Think in words, not characters. Four or five random, unrelated words give you a 25–30 character password you can actually picture in your head. velvet-anchor-puzzle-cloud is dramatically stronger than Tr0ub4dor&3 — and far easier to type.
Why password reuse is the real danger
If you only fix one thing, fix this: stop reusing passwords. Reuse is what turns one company’s breach into your personal catastrophe.
When a website is hacked, attackers walk away with millions of email-and-password pairs. They then run those credentials against banks, email providers, shopping and social accounts in an automated attack called credential stuffing. If you used the same password on your breached forum and your email, the attacker now owns your email — and from there they can reset the password on almost everything else. A single unique password per site contains the blast radius to that one account.
Your email account is the master key. Because password resets land in your inbox, whoever controls your email can take over nearly every other account you own. Give your email address its own long, unique password and the strongest 2FA you can — treat it as the crown jewels.
How attackers actually crack passwords
Knowing how passwords fall makes good ones obvious. Attackers use three main approaches:
- Breach reuse. The easiest of all — no cracking needed. They take passwords already leaked from one site and try them elsewhere. This is why uniqueness matters more than raw complexity.
- Dictionary attacks. Software races through huge lists of common passwords, real words, names, dates and known leaked passwords — plus predictable tricks like adding “123” or swapping
a→@. Anything word-based and short falls quickly. - Brute force. Trying every possible combination. This is where length wins decisively: each extra character makes the job exponentially slower, so a long random passphrase becomes infeasible to brute-force in any practical timeframe, while an 8-character password can fall fast.
Crucially, attackers usually crack passwords offline, against a stolen database, where they can make billions of guesses without any “too many attempts” lockout. That is why the strength of the password itself — not just the website’s login limits — is what protects you.
How to build a strong passphrase
You only need to memorise a handful of passwords by hand — chiefly your password manager’s master password and your email. For those, build a passphrase:
Pick four or more random, unrelated words
Choose words that have nothing to do with each other and nothing to do with you — not a quote, song lyric or common phrase. Think otter, granite, velcro, marigold. The randomness is what makes it strong.
Join them and add a little variation
String them with hyphens or spaces, e.g. otter-granite-velcro-marigold. If a site demands a number or symbol, add one in a spot you will remember rather than scattering them randomly. You now have a 25–30 character password.
Make it memorable, never guessable
Picture the four words as a single absurd scene — an otter on a granite slab wrapped in velcro holding a marigold. A vivid mental image sticks far better than a string of symbols, and it is yours alone.
Use a unique passphrase only where you must type it
Reserve hand-made passphrases for the few accounts you log into directly without the manager — everything else should get a long random string from a generator (below). Try our free password generator to create one instantly.
What not to do
Strong passwords are as much about avoiding the obvious as anything. Steer clear of:
- Personal information. Names of family or pets, birthdays, your address or phone number, your favourite team — all of it is discoverable on social media and tried first.
- Dates and sequences. Years,
123456,abcdefand the perennialpasswordtop every breached-password list. - Keyboard patterns.
qwerty,asdfghand1qaz2wsxlook random but are in every cracking dictionary. - Predictable “leetspeak” swaps. Turning
passwordintop@ssw0rdfools nobody — cracking tools apply those substitutions automatically. A short leetspeak word is barely stronger than the plain word. - Tiny variations between sites.
Netflix2026!andAmazon2026!mean one leak exposes the pattern for all of them. Each password must be genuinely independent.
Why a password manager is the real answer
Here is the honest truth: no human can remember a hundred long, unique, random passwords. Trying to means people reuse, write them on sticky notes, or keep them simple — which is precisely the problem. A password manager solves the whole dilemma at once. It generates a different strong password for every site, stores them in an encrypted vault, and fills them in for you, so the only thing you ever memorise is one strong master passphrase.
Both CISA and the FTC recommend password managers as a practical way for ordinary people to use strong, unique passwords everywhere without the memory burden. The major web browsers and Apple and Google now include capable built-in managers, and dedicated apps add features like cross-device sync and breach alerts. Our password manager guide walks through how they work and how to choose one, and the password strength checker lets you see how your current passwords measure up.
The two-password life. Adopt a manager and you really only need to remember two things by heart: the master passphrase for your vault, and the password to your email. Let the manager generate and store everything else as long random strings — you never have to type or recall them.
Check if you have been breached, then add 2FA
Find out whether your details are already circulating. The free, well-respected service Have I Been Pwned (haveibeenpwned.com) lets you enter an email address and see which known data breaches it appeared in. If your address shows up — and most do — change the password on every affected account, making each one unique. Many password managers run this check continuously and warn you automatically.
Finally, add a second lock. Two-factor authentication means that even if a password leaks, an attacker still cannot get in without your second factor — an app code or a security key. Turn it on for your email, your bank and your password manager first. Strong unique passwords plus 2FA is the combination that keeps the overwhelming majority of account takeovers from ever succeeding.
Frequently asked questions
What makes a password strong?
Length and uniqueness, above all. A strong password is long — ideally a passphrase of 12 to 16+ characters or several random words — and used on only one account. Modern NIST guidance favours length over forced complexity, so a long, memorable passphrase like otter-granite-velcro-marigold beats a short string of symbols. The single most important rule is never to reuse a password across sites.
Is a passphrase really safer than a complex password?
Yes. Each extra character multiplies the number of combinations an attacker must try, so a 25-character passphrase made of random words is far harder to crack by brute force than an 8-to-10-character “complex” password — and you can actually remember it. NIST explicitly tells systems to allow long passphrases (up to at least 64 characters) and not to force awkward composition rules.
How often should I change my passwords?
Only when you need to, not on a routine schedule. NIST now advises against forcing periodic password changes, because they push people toward weak, predictable variations. Change a password when it has been part of a data breach, when you suspect it has been exposed, or when a service tells you to. Otherwise, a strong unique password can stay put.
Do I really need a different password for every account?
Yes — this is the most important rule. When one site is breached, attackers automatically try the stolen email-and-password pair on banks, email and shopping sites (credential stuffing). A unique password per site means a single breach can never cascade. Because nobody can memorise dozens of unique passwords, a password manager is the practical way to do this.
How can I check if my password has been leaked?
Use Have I Been Pwned (haveibeenpwned.com), a free service that tells you which known data breaches your email address has appeared in. If it shows up, change the password on every affected account and make each one unique. Many password managers perform this breach monitoring automatically and alert you when a saved password is exposed.
Are the symbol substitutions like @ for a and 0 for o still useful?
Barely. Password-cracking tools automatically apply those “leetspeak” substitutions, so turning password into p@ssw0rd adds almost no real protection. What genuinely helps is length and unpredictability — use several random, unrelated words rather than a single dictionary word dressed up with symbols.
Sources & further reading
- NIST — Digital Identity Guidelines, SP 800-63B (Authentication)
- CISA — Use Strong Passwords (Secure Our World)
- FTC — Password Checklist (Consumer Advice)
This guide is independently produced. We reference primary documentation from device makers and security authorities. Tudug is reader-supported and may earn from ads.
Related guides & tools
Password Generator
Create a long, random, unique password in one click — no two alike.
Read more →Password Manager Guide
Why and how to let an encrypted vault remember every password for you.
Read more →Two-Factor Authentication Explained
Add the second lock that stops attackers even when a password leaks.
Read more →