What Actually Makes a Password Strong
Most advice about passwords has been wrong for decades. The rules posted on sign-up forms — "must include one uppercase letter, one number, one symbol" — were designed to satisfy a 2003 government memo, not to reflect how passwords are actually cracked. The result? People create passwords like Password1! that technically pass every rule but can be broken in seconds.
Modern password-cracking tools do not guess characters one by one. They run through enormous lists of real leaked passwords, common word patterns, and rule-based mutations (capitalizing the first letter, appending a number, replacing a with @) at billions of attempts per second. Understanding that changes what "strong" means.
Length is the most important factor
Every extra character multiplies the number of possible combinations. An 8-character password has fewer than 219 trillion combinations — fast hardware works through that in minutes. A 16-character password has combinations numbering in the hundreds of quadrillions. A 20-character one might take longer than the age of the universe to brute-force, even with future hardware.
Complexity helps, but it is not a substitute for length
Using a range of characters — lowercase, uppercase, digits, symbols — does add entropy. But the payoff diminishes rapidly. Moving from 8 to 16 characters matters far more than adding a symbol to an 8-character password. The practical sweet spot is a password that is both long (16+ characters) and somewhat varied — which is exactly where passphrases shine.
The minimum bar for any account you care about: 16 characters, unique to that site. For your primary email and any financial account, aim for 20 or more.
The Passphrase Advantage
A passphrase is a sequence of random words used as a password. The concept was popularized by security researcher Arnold Reinhold in 1995 and has since been endorsed by the US National Institute of Standards and Technology (NIST) as a preferred approach. The reason is simple: random words are both long and memorable in a way that random characters are not.
Consider the passphrase marble-fence-jupiter-wool. That is 28 characters. It contains no personal information, no dictionary-busting symbols, and no tricks — yet it would take an astronomically long time to crack by brute force because the combination space of random words drawn from even a modest dictionary of 7,776 words (as used in the EFF wordlist) is enormous.
1. Choose four or more words at random — not a phrase you already know or a quote. Roll physical dice or use a dedicated word-generation tool.
2. Separate words with hyphens, spaces, or dots to add length without effort.
3. Add a number or symbol somewhere in the middle if the site requires it — but do not put it only at the end, where crackers always check first.
4. Never use a phrase meaningful to you personally — song lyrics, sports teams, pet names, or birthdays are tested early in dictionary attacks.
The main limitation of passphrases is that creating a unique, truly random one for every site you use is mentally impossible. That is exactly what password managers solve.
Why Reusing Passwords Is So Dangerous
If you use the same password on five websites and one of them is hacked, attackers now have your credentials for all five. They will immediately run those credentials through dozens of popular sites in a process called credential stuffing — automated tools that try leaked username-and-password pairs at scale. This happens within hours of a breach becoming available on underground markets.
According to breach aggregation data, more than 15 billion unique credential pairs are currently in circulation on criminal forums. Even if you have never personally been in a headline-making breach, there is a meaningful chance your login details are in one of hundreds of smaller leaks you have never heard of.
A gaming forum you joined in 2018 gets breached. You used the same email and password there as on your bank's website. The forum's security was poor; your password was stored without proper hashing. Within 48 hours, automated tools are attempting that password against hundreds of other services. Your email and bank accounts are at risk — because of a gaming forum you barely remember joining.
Password reuse is the single most common vector for account takeover. The fix is not willpower; it is making unique passwords so easy that you never have to think about reuse at all. That is the password manager's job.
Password Managers: How They Work and How to Choose One
A password manager is software that generates, stores, and fills in strong, unique passwords for every site you visit. You remember one strong master password; the manager handles everything else.
How the encryption works
Good password managers use a zero-knowledge architecture. When you set your master password, the manager uses it to derive an encryption key locally on your device — through a process called key derivation that is deliberately slow and computationally expensive. Your vault of passwords is encrypted with that key before it ever touches a server. The company running the service holds your encrypted data but cannot decrypt it, because they never receive your master password. This means even if the password manager company itself is breached, attackers get only an encrypted blob that is computationally infeasible to crack.
What features actually matter
| Feature | Why it matters | What to look for |
|---|---|---|
| End-to-end encryption | Ensures the provider cannot read your data | AES-256 encryption; zero-knowledge model explicitly stated |
| Independent security audit | Third-party verification that security claims are real | Published audit reports from recognized security firms |
| Strong master-password handling | Protects you if the encrypted vault leaks | PBKDF2, bcrypt, or Argon2 key derivation with high iteration counts |
| Breach monitoring | Alerts you when a saved site is breached | Built-in breach monitoring, ideally with dark-web scanning |
| Multi-device sync | You need access everywhere | Apps for your phone, browser extension, and desktop |
| Secure sharing | Safely share credentials with family or colleagues | Encrypted sharing that does not reveal the plaintext password |
| Emergency access | Ensures a trusted person can access your vault if needed | Time-delayed emergency access with configurable waiting period |
Cloud-based vs. local-storage managers
Cloud-based managers sync your encrypted vault across all devices automatically — the biggest practical advantage for most people. The encryption happens on your device first, so the cloud storage is not a meaningful security risk with a reputable provider. Local-storage managers (where your vault lives only on your own hardware) give you more control but mean you are solely responsible for backups and synchronization. For most people, the cloud-based model is the right tradeoff.
The master password: your one critical password
Because your master password unlocks everything else, it must be genuinely strong. Use a passphrase of at least five random words. Write it on paper and store that paper somewhere physically secure — a lockbox or a safe. Do not store the master password digitally anywhere. This is the one password worth memorizing through repeated daily use in the first week.
Install the browser extension — it auto-fills credentials and prompts you to save new ones.
Import existing passwords — most managers import from browsers or CSV files in a few clicks.
Prioritize the most sensitive accounts first — email, banking, and your primary social account. Change those passwords to generated 20-character ones immediately.
Work through the rest gradually — change a few passwords per day; you do not need to do it all in one sitting.
Two-Factor Authentication (2FA)
Two-factor authentication adds a second proof of identity on top of your password. Even if an attacker steals your password through a breach or phishing attack, they still cannot log in without that second factor. For your most important accounts, 2FA is not optional — it is essential.
The types of 2FA, from weakest to strongest
- SMS text message codes — the most common and the weakest. SIM-swapping attacks, where criminals convince a phone carrier to redirect your number to their device, can defeat SMS-based 2FA. Still vastly better than no 2FA, but upgrade if you can.
- Authenticator app codes — an app on your phone generates a time-based 6-digit code that changes every 30 seconds (TOTP — Time-based One-Time Password). These codes are generated offline and tied to your device, not your phone number. This is the recommended level for most accounts. Popular open-standard apps are available across Android and iOS.
- Hardware security keys — a small physical USB or NFC device that you tap to authenticate. The gold standard for high-value accounts. They are resistant to phishing because they cryptographically verify the website's domain before responding. If you ever mistype a URL or land on a convincing fake site, the key simply will not work there.
- Passkeys — the emerging replacement for passwords altogether. Using public-key cryptography built into your device (Touch ID, Face ID, Windows Hello), passkeys prove your identity without sending any secret over the network. Many major platforms now support them, and adoption is accelerating.
Set up an authenticator app on accounts that support it — your email provider, social media accounts, your password manager itself, and any financial service. Most services walk you through this in their security settings in under three minutes.
When you enable 2FA, every service offers backup codes — a set of one-time codes you can use if you lose access to your phone. Print these and store them with your other physical security items. Do not skip this step; people lock themselves out of accounts permanently because they lost both their phone and their backup codes.
Keep Learning — Get More Like This
The A2Z eZine Weekly delivers practical tech guides, science explainers, and curated reads straight to your inbox. Join thousands of curious readers.
Free forever. No spam. Unsubscribe in one click.
Recognizing and Responding to Breaches
Data breaches are so common that the question is not whether your data has appeared in one, but how many. The good news is that finding out is straightforward and free.
Checking if you have been breached
The most widely used service for this is haveibeenpwned.com — run by a respected independent security researcher and trusted by governments and major tech companies. Enter your email address and it searches a database of hundreds of millions of breached accounts. If your address appears, it shows which breaches included it and what type of data was exposed (email addresses, passwords, phone numbers, and so on).
Most good password managers also include built-in breach monitoring that alerts you automatically when a site in your vault is linked to a newly published breach.
What to do when you learn of a breach
- Change your password on the breached site immediately using a new generated password from your manager.
- Check every other site where you used the same password — and change those too. This is where password reuse compounds damage rapidly.
- Enable 2FA on the breached account if you have not already.
- Monitor for suspicious activity — watch for password-reset emails you did not initiate, login notifications from new locations, or charges you do not recognize.
- Watch for phishing follow-ups — attackers who obtain email addresses from a breach sometimes send convincing phishing emails referencing real details from the breach to appear legitimate.
After a breach, you may receive emails claiming to be from the company urging you to "reset your password now" via a link. Never click those links. Instead, open a new browser tab, type the site's address manually, and change your password from there. Phishing emails after a breach are extremely common and sophisticated.
Your Simple 30-Minute Action Plan
You do not have to overhaul your entire digital life in an afternoon. Here is a sequenced plan that tackles the highest-risk items first and lets you build good habits gradually.