A strong password is at least 16 characters long, uses a mix of letters, numbers, and symbols, and is completely unique to one account. The easiest way to create a strong password you will actually remember is the passphrase method — combine four or more random, unrelated words into a single phrase like “correct horse battery staple.” As of 2026, over 24 billion stolen credentials are circulating on the dark web, and weak passwords are the number one way hackers break into accounts.

A strong password is your first line of defence against hackers. If your password is short, common, or reused across sites, it can be cracked in seconds using automated tools. The good news is that creating a strong password does not require memorising random strings of characters. There are simple methods that give you both security and memorability.

What makes a password weak?

Most people think their passwords are stronger than they actually are. Security researchers analysing billions of leaked credentials have found the same patterns over and over again.

Weak password patterns include:

  • Short passwords — anything under 12 characters can be cracked in minutes with modern hardware
  • Common words or phrases — “password,” “letmein,” “iloveyou,” and “welcome” appear in millions of breaches
  • Keyboard patterns — “qwerty,” “123456,” “asdfgh” are among the first things attackers try
  • Personal information — your name, birthday, pet’s name, or favourite team are easy to guess from social media
  • Simple substitutions — replacing “a” with ”@” or “o” with “0” does not fool cracking tools. They test these variations automatically

As of 2026, the ten most common passwords still include “123456,” “password,” and “qwerty.” These are cracked in under one second.

How do you create a strong password using the passphrase method?

The passphrase method is the simplest way to create a strong password you can actually remember. Instead of a single word with symbols tacked on, you string together four or more completely random, unrelated words.

Here is how it works:

  1. Pick four random words that have nothing to do with each other — for example, “purple,” “hammer,” “ocean,” “breakfast”
  2. Put them together: “purplehammeroceanbreakfast”
  3. Optionally add a number and symbol somewhere: “purpleHammer7ocean!breakfast”

That gives you a 27-character password that is extremely hard to crack but easy to picture in your mind. You can imagine a purple hammer smashing an ocean of breakfast cereal — the sillier the image, the easier it sticks.

Why this works:

  • Length beats complexity — a 25-character passphrase is exponentially harder to crack than an 8-character complex password
  • Randomness matters — the words must be genuinely random, not a phrase that makes sense like “ilovemydog”
  • Easy to type — no awkward symbols to hunt for on a mobile keyboard

What should you avoid when creating a password?

Even with the passphrase method, some mistakes can weaken your password:

  • Do not use famous phrases — “tobe or nottobe,” “maytheforcebewithyou” and other pop culture references are in cracking dictionaries
  • Do not use personal information — your street name, birth year, children’s names, or any detail findable on social media
  • Do not reuse passwords — if one site gets breached, every account sharing that password is compromised. As of 2026, credential stuffing attacks test stolen passwords against hundreds of sites automatically
  • Do not use sequential numbers or letters — “abcdef,” “111111,” and similar patterns are always in the first batch attackers try
  • Do not share passwords — not by text, not by email, not on a sticky note on your monitor

How does a password manager remove the need to remember passwords?

A password manager is an app that generates, stores, and fills in a unique strong password for every account you have. You only need to remember one master password — the one that unlocks the manager itself.

Here is what a password manager does for you:

  • Generates a random 20+ character password for every new account
  • Stores all your passwords in an encrypted vault
  • Automatically fills in your login credentials on websites and apps
  • Alerts you if any of your passwords appear in a known breach
  • Works across your phone, tablet, and computer

This means you never need to remember, type, or even know your individual passwords. You just need one strong master passphrase for the manager itself — use the four-word method from above.

Learn more in our complete guide: What is a password manager and do you actually need one?

How long should your password really be?

The minimum recommended length as of 2026 is 16 characters, but longer is always better. Here is a rough breakdown of how long it takes to crack passwords of different lengths using modern hardware:

  • 8 characters (mixed case + numbers) — cracked in under 1 hour
  • 12 characters (mixed case + numbers + symbols) — cracked in about 3 weeks
  • 16 characters (passphrase) — cracked in thousands of years
  • 20+ characters (passphrase) — effectively uncrackable with current technology

Every additional character multiplies the time exponentially. A 20-character passphrase made of random words is billions of times harder to crack than a clever 8-character password.

If your email has already been exposed in a breach, you need to act immediately. Check if your email was exposed in a data breach — it takes under 5 seconds and is completely free.

What should you do if your current passwords are weak?

If you realise your passwords are short, reused, or based on personal information, here is what to do right now:

  1. Start with your email account — this is the master key. If an attacker gets into your email, they can reset passwords on everything else
  2. Change passwords on financial accounts next — banks, investment accounts, payment apps
  3. Enable two-factor authentication on every account that supports it — this protects you even if your password is compromised
  4. Install a password manager and let it generate new passwords as you go
  5. Check your email for breaches — find out if your credentials are already circulating. If a password was leaked, check what was exposed and change it everywhere you used it

You do not need to change every password in one sitting. Start with the highest-value accounts and work your way down over a few days.

If your password was already leaked, read: What to do if your password was leaked in a data breach

You can also browse our breach database to see which companies have been compromised and what data was exposed.

Frequently asked questions

How long should a password be?

At minimum, 16 characters. But a passphrase of four or more random words will naturally be 20-30 characters, which is ideal. Length is the single most important factor in password strength — a long passphrase made of common words is far harder to crack than a short password with special characters.

Should I use the same password everywhere?

Never. If you use the same password on multiple sites and one of those sites gets breached, attackers will try that password on every other site within hours. This is called credential stuffing and it is one of the most common attack methods as of 2026. Use a password manager to generate a unique password for every account.

Is it OK to write passwords down?

Writing passwords on paper is safer than reusing the same password everywhere. A piece of paper in your desk drawer cannot be hacked remotely. However, a password manager is a much better solution — it encrypts your passwords, syncs across devices, and auto-fills login forms. If you do write passwords down, keep the paper in a secure location and never label it “passwords.”

What makes a password hard to crack?

Length and randomness. Cracking tools work by testing billions of combinations per second, starting with common words, phrases, and patterns. A truly random 20-character string is essentially uncrackable. A passphrase of four random, unrelated words achieves similar security while being far easier to remember.

Should I change passwords regularly?

Only if you have reason to believe they were compromised — for example, if a service you use was breached or you get an alert from your password manager. Routine forced password changes actually make security worse because people tend to make small, predictable modifications like incrementing a number. Use strong, unique passwords and change them when there is a specific reason to.

What is a passphrase?

A passphrase is a password made up of multiple words strung together instead of a single word with symbols. For example, “correct horse battery staple” is a passphrase. Passphrases are typically 20-30 characters long, making them extremely resistant to cracking, while being much easier to remember and type than random character strings like “kX9#mQ2$vL7@.” Security experts widely recommend passphrases as the best balance of security and usability.