How to Create a Strong Password

Do you know how to create a strong password? Many people think they do, but still create passwords that take seconds for hackers to crack. Here we explain how to create a strong password and offer tips for making passwords easy to remember, but difficult for hackers to crack.

Updated Password Advice

There is a lot of conflicting advice on how to create a strong password. What was considered to be a strong password a few years ago is unlikely to provide a sufficient level of security now. For instance, the National Institute of Standards and Technology (NIST), a US authority on cybersecurity, changed its password advice fairly recently. After years of encouraging people to use complex passwords and to change them regularly, the advice is now to stop enforcing unnecessary password complexity and regular password changes.

The problem of forcing people to create complex passwords is they are difficult to remember. That invariably means people will write them down or will circumvent password policies by creating passwords that meet the complexity requirements but are not really complex. For instance, Password123! would meet most organizations’ password complexity requirements, but it really isn’t much better than using ‘password’ as a password.

When people are forced to change passwords regularly, they tend to take shortcuts such as just changing one letter or number, which really doesn’t do much for security. People are very bad at choosing passwords and making them do it more often doesn’t make them any better at it.

To help you create a strong password that will actually protect your accounts from unauthorized access, we recommend the following:

Tips for Creating Strong Passwords

First, it is important to explain one important point. A password must be unique. That means a different password must be set for each account that has not been used elsewhere. With that in mind, here are some useful tips on how to create a strong password.

Create a long password

The longer the password, the harder it is to guess. You should create a password of at least 8 characters, but ideally, it should have 10 or more characters. NIST now recommends a maximum of 64 characters to accommodate passphrases. As a general rule of thumb, the more sensitive the account, the longer the password should be.

Do not use dictionary words

It is not a good idea to use dictionary words as passwords, as hackers conduct dictionary attacks where brute force attempts are made using a list of all dictionary words. Adding a number or special character to a dictionary word does not make it much better. Password cracking tools are very efficient and can guess dictionary-based passwords very quickly.

Do not use personal information

You should not use personal information in your passwords, such as a child’s or pet’s name, date of birth, or other important dates. This information can be easily found on social media accounts, and accounts could easily be hacked by people you know well.

Include a combination of upper- and lower-case letters, numbers, and special characters

If you just use lower case words, each letter in a password could only be one of 26 letters. If you use upper- and lower-case letters, the number of possibilities increases to 52, and then to 62 if numbers are also used, and even more with special characters. Don’t just start the password with a capital letter or just add a number or special character to the end of a password. Ideally, passwords should be a random combination of all of these characters.

Use a random password generator

Creating a random string of characters is difficult. When humans attempt this, they tend not to actually create random strings of characters. If you use a random password generator, such as those provided by Google and password managers, you will be generating a truly random string of characters which will make the password very difficult to guess.

Use a password strength meter

Password strength meters are often provided on websites. Make sure you use them. If your chosen password is weak or of average strength, you should change it. Your password should never be in the red or orange range. Make sure the strength meter is green.

Use a password manager

Follow these tips and you will be able to create a strong password for all your accounts, but how can you be expected to remember them? The key is to use a password manager.

A password manager will include a strong password generator, which follows the above advice and will create a random string of characters as a password and will autofill passwords when you land on a website for which you have set a password. You will never need to remember your passwords, as they are all stored securely in an encrypted vault. You will only need to remember one password – the one that provides access to your password vault. Some password managers, Bitwarden for example, allow you to use their password manager free of charge, although the cost of the premium version of the solution is pretty low.

Setting a strong master password for a password manager

Following the above advice for password complexity is good, but your master password for your password manager may still be difficult to remember. To make it easier to remember, ditch the password and use a passphrase. A passphrase is a long password of 14+ characters that consists of multiple words, which makes it easy to remember but difficult to guess. When setting a passphrase it is acceptable to use dictionary words, as the length of the passphrase makes up for the use of real words.

At the most basic level, a passphrase should consist of three random words, which should be 5 letters or more. For instance – DinosaurTirednessChicago. That passphrase is instantly memorable but very difficult to guess. Also, consider adding in a couple of numbers and special characters for good measure.

And finally…

Set up 2-factor authentication on your accounts

Yes, it is a pain, but 2-factor authentication is important. If your password is compromised, 2-factor authentication will prevent the password from being used to access your account.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of