How to create a strong password

Length beats complexity

For years we were told to use passwords like P@ssw0rd! - short but "complex." It turns out that is backwards. Modern password cracking chews through short passwords quickly, no matter how many symbols they contain. What actually defeats it is length. A long passphrase is both stronger and easier to remember.

How to build a strong password

1. Use a passphrase. Four or five random words make a great password: copper-violin-cloud-37-rain. It is long, memorable, and hard to guess. Aim for at least 15 characters.
2. Make every important password unique. Reusing one password means a single breach unlocks all your accounts. (See what to do when a password is breached.)
3. Avoid the obvious. Names, birthdays, pets, sports teams, and 123456 are the first things attackers try.
4. Do not just swap letters for symbols. P@ssw0rd is no stronger than password - cracking tools know every trick.

Let a password manager do the work

You cannot remember a unique 16-character password for 100 accounts - and you should not try. A password manager creates and stores strong, unique passwords for every site, so you only remember one strong master passphrase. See trustworthy free and open-source options on our Safe Software page.

Two more essentials

• Turn on two-factor authentication. Even a perfect password can leak; 2FA adds a second lock.
• Check whether your password has leaked. If a password has appeared in a known breach, it is unsafe no matter how strong it looks. Test yours privately with our Password Checker - it never sends your actual password.

Strong, unique, and backed by 2FA: get those three right and you are ahead of most attacks.