What Makes a Password Strong?

Everyone tells you to use a ‘strong’ password. But what does that really mean?

A strong password is one that is hard for people or software to guess. Which generally means that three things make a password strong: 

1. It’s long

2. It’s unusual

3. It’s unique

Let’s dig into each of these. 

Long is Strong

Passwords length is the single best way to make a password strong. Every additional character reduces the chances of someone guessing, knowing, remembering, or stealing your password and it makes it harder for automated tools to figure out the password. If we only had three words to explain good passwords, we’d say “long is strong”. How long? We’ll get to that below.

Common is Weak

The next two items on our list amplify and defend the strength of your long password. While length matters, if you have a password consisting only of extremely common words, it’s not very secure. There are long words and even phrases that everyone knows, and these don’t make the strongest passwords. 

‘LiveLongAndProsper’ is 18-characters, which is a very healthy password length, but if you’re a Star Trek fan (and people know that) and it’s the first guess your family and friends would make as to your password, so it’s actually a weak password. 

Creating a long password out of your favorite characters’ names, like ‘SpockSuluKirkTribbles’ is much stronger. Ever etter? Don’t choose a password based on your favorite show or topic, no matter how weird the password you choose.

Unusual is Awesome

Your passwords need to be unique – in two different ways:

  • You need a different password for every different account you want to protect.
  • You ideally want a password so unique that it’s likely or possible that no one in the world uses your password as their password.

Using the same password on multiple accounts is the cardinal sin of the password world. When you use a password in more than one account, then a bad actor can log right into any other account that uses that same password when they steal or guess the password to just one account.

That’s what happens when a password or data breach occurs; thieves post the stolen username+password combinations online, and then other bad people try those combinations to unlock other accounts. If your sports betting site gets hacked, and the password gets posted online, you don’t want to wake up the next day and find out someone logged into your bank account.

The other aspect of choosing a unique password is that lazy password choices – like street names, dog-kid-band names, song titles or famous quotes – are used by tons of people. That means they’re the first things hackers try when they want to log into an account. So you may love the Yankees, but don’t ask them to protect you. 

No Kn0wn Tr1ck$

By the way, replacing i’s with 1’s and s’s with $’s isn’t tripping up anyone. Everyone knows this and so do the hackers. Same with a surprise ! at the end.

Consider Passphrases

We call them passwords, but a better way to think about strong ones (if you’re not using a password generator and password manager) is passphrases. String together 4 or 5 words in a random order, all from the same song, book, or group of names (but not JohnPaulGeorgeRingo – remember uncommon). So HeavenFavoriteStairwayZepplin wouldn’t have been bad, except now it is.

Length Matters

As we said, long is strong. Passwords under 10 characters shouldn’t be used for anything important. When you get to 12-14 it’s nearly impossible for someone to guess a password even with a computer rapidly entering variations. Get to 20 characters or more and you’re doing an excellent job protecting your most important accounts.

It takes 5 hours for a computer to crack a password that’s 8 characters long, but 2 centuries for the same computer to crack one that’s 12 characters long. You can learn more about how long password cracking tools take to crack passwords here:


The downside of strong passwords is that you won’t be able to remember them. So you’ll need a password manager. And even with strong and excellent passwords you should use two-factor authentication on all important accounts where that is an option.

Passwords are literally protecting and defending your digital, financial, and personal life. So it’s as easy as 1-2-3:

  1. Make sure your key accounts have strong passwords, 
  2. Store them properly in a password manager, and 
  3. Double-lock your accounts with two-factor-authentication. 

Photo by Alora Griffiths on Unsplash

Show More
Back to top button