How to Create a Strong Password
A practical, no-jargon guide — updated 2026
A strong password is the single cheapest way to protect your online accounts. Most break-ins don't involve clever hacking — they happen because a password was short, reused, or easy to guess. This guide shows you exactly what makes a password strong, with real examples and the mistakes to avoid.
The 4 rules of a strong password
- Make it long. Length matters more than anything else. Aim for 16 characters or more. Every extra character multiplies the number of guesses an attacker needs.
- Mix character types. Use uppercase, lowercase, numbers, and symbols together. This dramatically expands the pool of possibilities.
- Keep it random. No names, birthdays, dictionary words, or keyboard patterns like
qwertyor123456. Attackers try these first. - Use a unique password for every account. If one site is breached, reuse means every other account is exposed too.
Strong vs weak: examples
Here's the difference in practice:
- ❌
john2015— a name + year, cracked in seconds - ❌
P@ssw0rd!— looks complex but it's a top-guessed pattern - ✅
vT7$mK9pLxQ2wR8n— 16 random characters, effectively uncrackable - ✅
correct-horse-battery-staple— a long passphrase, strong and memorable
Common mistakes that make passwords weak
- Substituting letters for symbols in a real word (
p@ssw0rd) — cracking tools know every substitution. - Adding
1or!to the end to "meet requirements" — predictable. - Reusing the same password across sites.
- Using personal info that's easy to find on social media.
The easiest way: generate and store
You don't need to invent strong passwords by hand. The most reliable approach is to generate a random password and save it in a password manager (Bitwarden, 1Password, or your browser's built-in one). Then you only remember one strong master password, and the manager fills in the rest. Turn on two-factor authentication (2FA) wherever it's offered for an extra layer.
Not sure how strong an existing password is? Paste it into our password strength checker to see an estimated time-to-crack — all in your browser, nothing sent anywhere.