How to create strong passwords
Simple, practical rules for creating passwords that are genuinely hard to crack — without needing to memorize complex strings.
A weak password is like leaving your front door unlocked. Attackers can crack common passwords in seconds using automated tools. The good news: strong passwords follow simple rules, and a password manager means you only need to remember one.
Quick summary
A strong password is long (at least 16 characters), random, and unique to each account. Never reuse passwords across sites. The easiest way to do this is to let a password manager generate and store them for you — you only memorize one master password.
What makes a password strong?
Three things matter most:
Length — Length beats complexity. A 20-character password made of random words is far stronger than an 8-character password with symbols.
Randomness — Avoid anything predictable: names, birthdays, common words, keyboard patterns like qwerty or 123456.
Uniqueness — Every account needs a different password. If one site is breached, attackers try those credentials everywhere else. This is called credential stuffing.
The two best approaches
Random passwords (best with a manager)
Let a password manager generate something like:
T7$mKw#pLq2!xNv8
You never need to remember it — the manager fills it in for you. This is the strongest option.
Passphrases (good for things you must remember)
Chain four or more unrelated words:
correct-horse-battery-staple
Long, memorable, and surprisingly hard to crack. Good for your master password or account recovery codes.
Passwords to avoid
These are the first things attackers try:
- Your name, company name, or domain
password,Password1,letmein,welcome- Keyboard walks:
qwerty,123456,asdfgh - Dates: birthdays, anniversaries, founding years
- Anything you've used before on another site
- Simple substitutions:
P@ssw0rdis not secure — attackers know that trick
Setting your master password
If you use a password manager, you need one very strong password that you actually memorize. Use a passphrase for this:
Pick four or more unrelated words. Think of things that don't naturally go together: thunder, library, orange, kettle.
Join them with hyphens or spaces. thunder-library-orange-kettle
Add a number and special character if the service requires it. thunder-library-orange-kettle7!
Write it down once and store it somewhere physically safe — not on a sticky note on your monitor. A locked drawer or a home safe works well.
Practice it a few times until it feels natural.
Checking if a password has been breached
The website Have I Been Pwned lets you check whether your email address or a specific password has appeared in a known data breach. It is free and reputable. Many password managers do this check automatically.
Don't check your live passwords directly
When using Have I Been Pwned to check a password (not your email), the site uses a technique called k-anonymity — it never sends your full password to the server. But as a general rule, don't paste active passwords into random websites.
How to update weak passwords across your accounts
If you currently use weak or reused passwords, here is how to fix it without getting overwhelmed:
Start with your most important accounts — email, banking, your website admin, your hosting account.
Install a password manager if you haven't already. See Why you need a password manager.
Use the manager's built-in password generator to create a new, strong password for each account.
Change one or two accounts per day rather than all at once. Prioritize high-risk accounts first.
Common questions
Related guides
- Why you need a password manager
- Choosing a password manager
- Two-factor authentication, explained
- Your business security checklist
- What to do if an account is compromised
Need a hand?
Learn more
Why security matters for your business
A plain-English explanation of the real-world risks facing small businesses online, and why basic security steps make a big difference.
Why you need a password manager
Password managers solve the hardest part of online security — having unique, strong passwords for every account — without the mental overhead.