How-To Guides

How to Create a Strong Password

Photo of Nizam Ud Deen Nizam Ud Deen5 hours agoLast Updated: June 6, 2026
0 1 8 minutes read

This guide creates a strong password that resists guessing and automated cracking, producing a unique credential for every account. A strong password depends on length and unpredictability rather than complicated symbol patterns. The National Institute of Standards and Technology, in Special Publication 800-63B, advises length over forced complexity and recommends allowing passphrases up to at least 64 characters.

This article explains what makes a password strong, gives a numbered method to build a memorable passphrase, lists the patterns that weaken a password, shows how to check whether a password has appeared in a data breach using Have I Been Pwned, and explains how a password manager generates and stores credentials. Each section names the standard or tool involved, including NIST guidance, the Have I Been Pwned breach database, and managers such as Bitwarden and 1Password.

The result is a repeatable process that produces one strong, unique password per account and a system to remember every one of them. Start by understanding the two properties that determine password strength.

What Makes a Password Strong

A strong password is long, unpredictable, and used on only one account. The two properties below determine how hard a password is to crack.

  • Length sets the cracking cost. Each added character multiplies the number of combinations an attacker must test, so a 16-character password resists offline cracking far longer than an 8-character one.
  • Entropy measures unpredictability. Entropy counts how many guesses a password could be, in bits, and rises with both length and the randomness of each character.
  • Uniqueness limits breach damage. A password used on one account cannot unlock others, so a single breach stays contained to that one service.
  • Unpredictability defeats dictionaries. Attackers test common words, leaked passwords, and keyboard patterns first, so a password avoiding those survives longer.

Length matters more than symbol variety. A 16-character passphrase of plain words reaches higher entropy than an 8-character mix of letters, numbers, and symbols. NIST guidance reflects this by setting an 8-character minimum while recommending support for much longer passphrases.

How Long Should a Password Be?

A password should contain at least 12 characters, with 16 or more preferred for important accounts. The character counts below map length to practical resistance.

  • 8 characters is the floor. NIST sets 8 as the minimum, but an 8-character password falls to modern cracking hardware in a short time.
  • 12 characters is the baseline. A 12-character password raises the combination count enough for everyday accounts when the characters are unpredictable.
  • 16 characters protects key accounts. Email, banking, and password-manager master passwords warrant 16 or more characters.
  • 20 or more characters suits passphrases. A four-to-six word passphrase often exceeds 20 characters while staying memorable.

Build a Passphrase Step by Step

A passphrase strings together several unrelated words to reach high length and entropy while staying memorable. The numbered method below produces one passphrase.

Build a Passphrase Step by Step - How to Create a Strong Password
  1. Choose four to six words that have no logical connection to each other, such as copper, lantern, gravel, and otter.
  2. Confirm the words are not a quote, song lyric, or common phrase, because attackers test known phrases.
  3. Join the words with a separator such as a hyphen or a space, producing copper-lantern-gravel-otter.
  4. Add one number and one symbol at an unpredictable position, not only at the end.
  5. Capitalize one letter inside a word rather than the first letter, since first-letter capitalization is predictable.
  6. Confirm the final passphrase reaches at least 16 characters and read it aloud once to fix it in memory.

A passphrase such as copper-Lantern-gravel-otter-7! reaches 28 characters with high entropy and remains recallable. Each account still needs its own passphrase, which is where a manager becomes necessary.

What to Avoid in a Password

Weak passwords share predictable patterns that cracking tools test first. The practices below lower password strength and must be avoided.

Related Articles
  • Reuse across accounts. One leaked password unlocks every account sharing it through credential-stuffing attacks.
  • Personal information. Names, birthdays, pet names, and addresses appear in public records and social profiles attackers harvest.
  • Common substitutions. Replacing a with @ or o with 0 in dictionary words fails because cracking tools test these swaps automatically.
  • Sequential or repeated characters. Strings such as 123456, qwerty, and aaaa rank at the top of every breached-password list.
  • Single dictionary words. Any one word, in any language, falls quickly to a dictionary attack regardless of capitalization.

The most reused passwords each year, published from breach data by NordPass, include 123456, password, and qwerty. A strong password shares no pattern with these entries.

Check If a Password Was Breached

Checking a password against a breach database confirms whether the password has already leaked and must be replaced. Have I Been Pwned holds billions of credentials exposed in known breaches.

  1. Open the Have I Been Pwned Pwned Passwords page in a browser.
  2. Type or paste the password into the check field, which hashes the entry locally before sending only a partial hash.
  3. Read the result, which reports how many times the password has appeared in breaches.
  4. Replace any password that returns a match, because attackers load breached passwords into their first guesses.
  5. Enter an email address on the main Have I Been Pwned page to see which breaches exposed accounts tied to that address.

A password appearing even once in the database is exposed and offers no protection. The Pwned Passwords check uses k-anonymity, so the full password never leaves the browser.

Generate and Store Passwords With a Manager

A password manager generates a random unique password for each account and stores every one in an encrypted vault, so only one master password must be remembered. Managers such as Bitwarden and 1Password include a built-in generator.

  1. Install a password manager such as Bitwarden, 1Password, or KeePass.
  2. Create one strong master passphrase using the method above, since the master password protects the whole vault.
  3. Open the built-in generator and set length to 16 or more characters.
  4. Generate a unique password for each account and save it to the vault as logins are updated.
  5. Enable browser and mobile autofill so the manager enters each password automatically.

A generated 16-character random password reaches higher entropy than any human-made password and never repeats across accounts. The full workflow appears in the guide to using a password manager.

Strong Versus Weak Password Examples

PasswordLengthStrengthReason
password19WeakDictionary word with a predictable trailing number
P@ssw0rd!9WeakDictionary word with tested character substitutions
Summer202410WeakSeason and year appear in common wordlists
k9Tz!mqp8ModerateRandom but short enough for offline cracking
copper-Lantern-gravel-otter-7!30StrongLong unrelated-word passphrase with high entropy
xQ4!vR9zLm2#nP7w16StrongManager-generated random string, unique per site

How Password Cracking Works

Password cracking works by testing guesses against a stolen password hash until one matches, with the number of guesses set by the password length and randomness. The methods below run in the order attackers prefer.

How Password Cracking Works - How to Create a Strong Password
  • Dictionary attacks run first. A cracking tool tests common words, leaked passwords, and known phrases, which makes any single word fall in seconds.
  • Rule-based attacks follow. The tool applies substitutions such as a to @ and adds trailing numbers, which defeats predictable variations of dictionary words.
  • Mask attacks target patterns. A guess pattern such as one capital, five letters, and two digits narrows the search when the structure is predictable.
  • Brute force is the last resort. Every combination is tested in order, which only finishes in reasonable time against short passwords.

Each added character multiplies the brute-force search space, so length is the property that pushes a password beyond reach. A 16-character random password creates so many combinations that brute force becomes impractical, while a short password falls quickly regardless of symbol variety. Offline cracking on modern hardware tests billions of guesses per second against a leaked hash, which is why an exposed 8-character password offers little protection.

Manage Passwords Across Devices

Managing passwords across devices keeps the same unique credential available on every computer and phone without writing it down. The practices below keep access consistent and safe.

  • Sync through an encrypted vault. A password manager syncs the encrypted vault to each device, so a generated password works everywhere the account signs in.
  • Protect the device itself. A screen lock and device encryption stop a lost phone or laptop from exposing the vault stored on it.
  • Avoid plain-text storage. A note app or spreadsheet stores passwords unencrypted, which exposes every entry if the device is compromised.
  • Lock the vault when idle. An automatic vault timeout re-requires the master password, so a stepped-away device does not leave the vault open.

A password manager removes the need to memorize more than the master password, since the encrypted vault carries every other credential across devices. The device that holds the vault still needs its own screen lock and encryption, because the vault is only as accessible as the device protecting it.

Common Mistakes to Avoid

Several habits undermine an otherwise strong password. The mistakes below recur most often when people set passwords.

  • Storing passwords in a browser-only or plain text file. An unencrypted note exposes every password if the device is compromised; a password manager encrypts the vault instead.
  • Changing passwords on a fixed schedule. NIST advises against forced periodic changes because they push people toward predictable variations.
  • Adding only one character to an old password. Incrementing a password from one ending in 1 to one ending in 2 keeps it close to the breached version.
  • Trusting symbol complexity over length. A short complex password is weaker than a long passphrase against offline cracking.
  • Skipping a second factor. A password alone is one barrier; pairing it with two-factor authentication adds a second.

Key Takeaways

  • Favor length over complexity. A 16-character passphrase beats a short symbol-heavy password, matching NIST guidance.
  • Use a unique password per account. Uniqueness keeps one breach from unlocking every other login.
  • Build passphrases from unrelated words. Four to six random words reach high entropy and stay memorable.
  • Avoid personal information and common substitutions. Cracking tools test both before random strings.
  • Check passwords against Have I Been Pwned. Replace any password that appears in the breach database.

What is the strongest type of password?

A long passphrase of four to six unrelated words is the strongest type a person can remember. A password-manager-generated random string of 16 or more characters is stronger still and unique per account.

How long should a strong password be?

A strong password should be at least 12 characters, and 16 or more for email, banking, and a password manager master password. NIST sets 8 as the minimum and recommends supporting passphrases of 64 characters.

Are passphrases safer than complex passwords?

Yes. A long passphrase reaches higher entropy than a short complex password while staying memorable. Length raises cracking cost more than symbol variety, which is why NIST favors length over forced complexity.

How do I know if my password was breached?

Check it on the Have I Been Pwned Pwned Passwords page. The tool hashes the password locally and reports how many times it appeared in known breaches. Replace any password that returns a match.

Should I change my password regularly?

No fixed schedule is required. NIST advises against forced periodic changes because they lead to predictable variations. Change a password only after a breach, suspected compromise, or reuse on another account.

Is it safe to let a password manager create my passwords?

Yes. A password manager generates random strings stronger than human-made passwords and stores them in an encrypted vault. Only the master password must be remembered, and the vault is protected by strong encryption.

Last Thoughts on Creating a Strong Password

A strong password comes from length and unpredictability, not from a tangle of symbols. A passphrase of four to six unrelated words reaches high entropy and stays memorable, while a password manager generates and stores a unique random password for every other account. Checking each password against Have I Been Pwned removes any credential that has already leaked.

Because one password protects only one barrier, a strong password works best alongside two-factor authentication and an encrypted vault managed through a password manager. The wider context of account protection appears in the overview of computer security basics, which connects passwords to the other defenses every account relies on.

Photo of Nizam Ud Deen Nizam Ud Deen5 hours agoLast Updated: June 6, 2026
0 1 8 minutes read
Photo of Nizam Ud Deen

Nizam Ud Deen

Nizam Ud Deen is the founder of theCoreiTech, a tech-focused platform dedicated to simplifying the world of computers, hardware, and digital innovation. With nearly a decade of experience in digital marketing and IT, Nizam combines strategic marketing insight with deep technical understanding. As a passionate entrepreneur, he has built multiple successful digital products and online ventures, helping bridge the gap between technology and everyday users. His mission through theCoreiTech is to empower readers to make informed decisions about computers, hardware, and emerging tech trends through clear, data-driven, and actionable content.
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button