Why Password Strength Still Matters
Despite years of warnings, weak and reused passwords remain one of the most common causes of account breaches. Attackers use techniques like brute force (trying millions of combinations automatically) and credential stuffing (using usernames and passwords leaked from other breaches) to gain access to accounts. A strong, unique password is your first and most important line of defence.
What Makes a Password Strong?
A strong password has several key characteristics:
- Length: At least 12–16 characters. Longer is better — length increases complexity exponentially.
- Variety: A mix of uppercase letters, lowercase letters, numbers, and symbols.
- Unpredictability: No dictionary words, names, dates, or keyboard patterns like qwerty or 123456.
- Uniqueness: Never reused across multiple sites or services.
The Passphrase Approach
One practical method is to use a passphrase — a string of four or more random, unrelated words. For example: correct-horse-battery-staple. This approach creates a password that is:
- Long (making it hard to brute force)
- Relatively memorable for humans
- Resistant to dictionary attacks if the words are truly random
Add a number or symbol and you have something both strong and memorable. Just avoid using obvious phrases, song lyrics, or well-known quotes.
Why You Shouldn't Rely on Memory Alone
The average person has dozens — sometimes hundreds — of online accounts. Memorising a unique, strong password for every one of them is simply not realistic. This is where password managers come in.
A password manager is an application that:
- Generates strong, random passwords for every site
- Stores them in an encrypted vault
- Autofills login fields when you visit a site
- Syncs across your devices
You only need to remember one strong master password to unlock the vault. Well-known options include Bitwarden (open-source and free), 1Password, and Dashlane.
Common Password Mistakes to Avoid
- Using personal information — birthdays, pet names, or your street address can be guessed by anyone who knows a little about you.
- Reusing passwords — if one site is breached, attackers will try your credentials everywhere else.
- Simple substitutions — replacing "a" with "@" or "o" with "0" is a well-known trick that attackers account for.
- Saving passwords in your browser insecurely — browser-saved passwords can be at risk if your device is compromised or shared.
- Writing passwords in plain text — a sticky note on your monitor or a plain notes file is not secure storage.
Add a Second Layer: Two-Factor Authentication
Even the strongest password can be stolen through phishing or a data breach. Two-factor authentication (2FA) adds a second verification step — such as a code from an authenticator app — meaning an attacker needs both your password and physical access to your device. Enable 2FA on every account that supports it, especially email, banking, and social media.
Quick Reference: Password Do's and Don'ts
| Do | Don't |
|---|---|
| Use 12+ characters | Use your name or birthday |
| Use a password manager | Reuse the same password |
| Enable 2FA everywhere | Use keyboard patterns (qwerty) |
| Use random passphrases | Store passwords in plain text |
Getting Started Today
The best time to improve your password hygiene was yesterday. The second best time is now. Start by signing up for a reputable password manager, then work through your most important accounts — email, banking, and any account tied to your payment details — and update each one with a unique, generated password. Small steps compound into much stronger security over time.