Why Password Strength Still Matters
Despite years of warnings, weak and reused passwords remain one of the leading causes of account breaches. Attackers don't need to be sophisticated — they often simply try credentials leaked from one service against dozens of others. A strong, unique password for every account is the single most impactful security habit you can build.
What Makes a Password "Strong"?
A strong password has three main qualities:
- Length: At least 12 characters, ideally 16 or more. Length matters more than complexity.
- Unpredictability: No dictionary words, names, dates, or keyboard patterns (like "qwerty123").
- Uniqueness: Never reused across different accounts.
Modern password-cracking tools can test billions of combinations per second. A short, complex password (e.g., "P@ss!1") can be cracked faster than a long, random passphrase (e.g., "correct-horse-battery-staple").
The Passphrase Method
Passphrases — strings of 4–6 random words — are long, memorable, and strong. They work because length dramatically increases entropy. Here's how to create one:
- Pick 4–5 completely unrelated words at random (avoid phrases from songs or movies)
- Separate them with hyphens, spaces, or symbols
- Optionally add a number or capital letter
Example: amber-lantern-fork-cloud7 is far stronger than P@ssword1!
Use a Password Manager — Seriously
The real answer to strong, unique passwords is a password manager. It generates, stores, and autofills complex passwords so you only need to remember one master password. Reputable options include:
- Bitwarden — open-source, free tier is excellent, cross-platform
- 1Password — polished UX, great for families and teams
- KeePassXC — fully local, no cloud sync, maximum control
What to Avoid
| Bad Practice | Why It's Risky |
|---|---|
| Using your name or birthdate | Easily guessed or found on social media |
| Reusing passwords | One breach exposes all accounts |
| Storing passwords in plain text | Vulnerable if your device is compromised |
| Using "Password1!" | Meets complexity rules but is widely known to attackers |
| Sharing passwords via email/chat | Leaves a permanent, insecure record |
Layer Up: Add Two-Factor Authentication
Even the strongest password can be phished. Two-factor authentication (2FA) adds a second layer of verification — typically a time-based code from an authenticator app (like Aegis or Google Authenticator). Even if an attacker has your password, they can't log in without the second factor.
Enable 2FA on every account that offers it, prioritizing email, banking, and social media accounts first.
Quick Action Checklist
- Install a reputable password manager
- Change reused passwords to unique, generated ones — start with your email account
- Enable 2FA on critical accounts
- Check if your email has appeared in known data breaches (via haveibeenpwned.com)
- Never share passwords — use a manager's secure sharing feature if needed
Good password hygiene isn't about being paranoid — it's about making yourself a harder target than the next person. Most attackers go for easy wins, and a few simple habits take you out of that category entirely.