Most people know their passwords should be strong. Fewer know what that actually means. A password that feels strong — one that has a capital letter, a number, and a symbol — may still be cracked in hours if it follows a predictable pattern. This guide covers the properties that make passwords genuinely hard to break, what to avoid, and how to manage them without going mad.
Length Matters More Than Complexity
The single most important property of a password is length. Each additional character multiplies the number of possible combinations an attacker has to check. A 20-character password made of only lowercase letters has more possible values than a 10-character password that uses every character class. Modern GPUs can check billions of passwords per second — short passwords, no matter how complex, fall in hours.
For routine accounts, 12 to 16 characters is a reasonable minimum. For critical accounts — email, banking, your password manager — aim for 20 or more. If a service caps passwords at 8 or 10 characters, that is a red flag about their security practices.
Which Characters to Include
Using all four character classes — uppercase, lowercase, digits, and symbols — adds meaningful entropy per character. Symbols like !, @, and # are not magic; they help because they expand the character set an attacker has to consider. But extra length gives more benefit than extra complexity per character, so if you have to choose between a 16-character lowercase-only password and a 10-character mixed-everything password, pick the longer one.
- Uppercase A–Z adds 26 characters to the possible set.
- Digits 0–9 add 10.
- Common symbols add 32 or more depending on which set is allowed.
- Some sites block certain symbols — if generation fails, remove symbols and compensate with extra length.
Patterns to Avoid
Attackers do not try every possible combination in order — that would take too long even for short passwords. Instead, they use wordlists and rule sets that encode how humans actually choose passwords. Dictionary words, names, sports teams, dates, and keyboard patterns (qwerty, 123456, asdfgh) all appear early in these lists. Common substitutions — P@ssw0rd, L3tMe1n — are also in every serious cracking ruleset.
- Avoid any word that appears in a dictionary, in any language.
- Do not use names, birthdays, anniversaries, or addresses.
- Keyboard walks (qwerty, 12345) are cracked in seconds.
- Do not append a number or year to a word — it is the first thing rules try.
- Do not use the same password, or obvious variations, across multiple sites.
Using a Password Manager
The right solution to strong passwords is a password manager. A manager generates and stores a unique, random password for every account. You only need to remember one master password. Free options include Bitwarden (open source, cross-platform) and KeePass (local only). Paid options like 1Password offer polished apps and sharing features. Browser built-in managers from Chrome, Firefox, and Safari are also genuinely good and free.
The master password for your manager deserves special attention. It should be long, random, and not based on anything personal. A passphrase — four to six random words chosen from a large wordlist — is both memorable and extremely hard to crack. 'correct horse battery staple' is the famous example; the actual words should be random, not that phrase.
Two-Factor Authentication
Even a perfect password can be compromised: phishing attacks trick users into entering credentials on fake sites, and data breaches expose hashed passwords to offline cracking. Two-factor authentication (2FA) adds a second requirement — something you have — so a stolen password alone is not enough to access your account.
Prefer an authenticator app (Google Authenticator, Authy, Bitwarden Authenticator) over SMS codes. SMS 2FA is better than nothing, but phone numbers can be hijacked. Hardware security keys (YubiKey, Google Titan) are the strongest option and resistant to phishing. Enable 2FA on every account that offers it, starting with email, banking, and your password manager.