How to Create a Strong Password

Weak passwords are the number one way accounts get compromised. Here is how to create passwords that are actually strong and how to manage them.

Published 2019-08-15 by TechNet New England

Most people know they should use strong passwords. Most people also reuse the same password across multiple accounts. This guide explains what actually makes a password strong and how to manage passwords without losing your mind. ## What Makes a Password Strong **Length matters more than complexity.** A 16-character password made of random words is stronger than an 8-character password with special characters. `correct-horse-battery-staple` is stronger than `P@ssw0rd!` The first is 28 characters and would take centuries to crack. The second is 9 characters and appears in every password dictionary. ## Rules for Strong Passwords 1. **At least 14 characters.** Longer is better. 2. **Do not use personal information.** No names, birthdays, pet names, addresses, or phone numbers. 3. **Do not use common words or patterns.** "password," "123456," "qwerty," "admin," and "letmein" are in every attacker's dictionary. 4. **Do not reuse passwords.** Every account should have a unique password. If one account is breached, the others remain safe. 5. **Use a mix of characters if required.** Uppercase, lowercase, numbers, symbols. But length is more important than complexity. ## The Passphrase Method A passphrase is a string of random, unrelated words that is long but easy to remember. Examples: `purple-elephant-sandwich-telescope` `correct-horse-battery-staple` `notebook-river-airplane-cactus-seven` These are long, random, and much harder to guess than short complex passwords. They are also easier to type. ## Use a Password Manager A password manager generates, stores, and fills in unique passwords for every account. You only need to remember one master password for the password manager itself. Popular options: **Bitwarden** (free and paid tiers, open source). **1Password** (paid, popular for businesses). **LastPass** (free and paid tiers). **Apple Keychain** (built into Mac, iPhone, iPad). **Google Password Manager** (built into Chrome). With a password manager, every account gets a unique, randomly generated password that looks like: `kT9#mP2$vL6@nQ4&wR8` You never need to remember it. The password manager fills it in automatically. ## Enable MFA Even the strongest password can be stolen through phishing or a data breach. Multi-factor authentication (MFA) adds a second verification step that protects your account even if the password is compromised. Enable MFA on every account that supports it, especially email, banking, cloud storage, and any account with access to sensitive data. ## What to Do If You Think a Password Was Compromised 1. Change the password immediately. 2. Check for unauthorized activity on the account. 3. If you used the same password on other accounts, change those too. 4. Enable MFA if it is not already on. 5. Check haveibeenpwned.com to see if your credentials appeared in a known breach.