Why Password Strength Matters More Than Ever
Data breaches expose billions of credentials every year. When attackers get hold of a password database, they run automated tools that can test millions of password combinations per second. A weak password can be cracked in seconds. A strong one can take centuries — or longer. Understanding what makes a password strong is the foundation of good digital security.
What Makes a Password Weak?
Avoid these common pitfalls:
- Short length: Any password under 10 characters is vulnerable to brute-force attacks.
- Dictionary words: Words like "sunshine," "dragon," or "password" are among the first tested.
- Predictable substitutions: Replacing "a" with "@" or "o" with "0" is well known to attackers.
- Personal information: Birthdates, names, and pet names are easy to guess or research.
- Reuse: Using the same password across sites means one breach compromises everything.
The Anatomy of a Strong Password
A truly strong password has the following characteristics:
| Property | Recommendation |
|---|---|
| Length | At least 14–16 characters; longer is always better |
| Character variety | Mix of uppercase, lowercase, numbers, and symbols |
| Randomness | No recognizable words, patterns, or sequences |
| Uniqueness | Never reused across any two accounts |
The Passphrase Method
A passphrase is a sequence of four or more random, unrelated words strung together. For example: correct-horse-battery-staple. Passphrases are:
- Long — naturally 20+ characters without effort.
- Memorable — easier to recall than a string of random characters.
- Strong — the randomness of word selection makes them highly resistant to attack.
Add a number or symbol between words to satisfy sites with complexity requirements: correct-7horse!battery-staple.
Using a Password Generator
For accounts where you don't need to memorize the password (most accounts), use a random password generator. Most password managers include one. A good generated password looks like: Xk#9mP2@vLqR7!nT — completely random, long, and impossible to guess.
Passwords You Should Never Use
- 123456, password, qwerty, abc123
- Your name + birth year (e.g., john1990)
- The name of the site you're signing up for
- Any word found in the dictionary
- Keyboard patterns (e.g., qwerty, zxcvbn)
How Often Should You Change Passwords?
Modern security guidance has shifted away from mandatory regular password changes. Current best practice is:
- Change a password immediately when a breach is confirmed or suspected.
- Change it if you've shared it with someone who no longer needs access.
- Otherwise, a strong, unique password does not need to be changed on a schedule.
Putting It All Together
The most practical approach: use a password manager to generate and store unique, complex passwords for every account. You only need to memorize one strong master password (use the passphrase method for this). This combination is both highly secure and easy to maintain day-to-day.