Most password advice is stuck in 2005. "Use a mix of uppercase, lowercase, numbers, and symbols" sounds smart but leads to passwords like P@ssw0rd! — which is terrible. Modern password security is simpler and more effective than the old rules suggest.

Length Beats Complexity

A 12-character password with random lowercase letters has more possible combinations than an 8-character password with every character type. Password cracking is fundamentally about the number of guesses required, and length increases that number exponentially.

Time to crack (brute force estimates):
8 chars, mixed: ~8 hours
12 chars, lowercase only: ~200 years
16 chars, lowercase only: ~millions of years
20 chars, passphrase: ~heat death of the universe

The math is clear: adding length is far more effective than adding complexity. A 16-character password of random lowercase letters is stronger than an 8-character password with every symbol imaginable.

Passphrases: The Best Approach

A passphrase is a sequence of random words strung together: "correct horse battery staple" (from the famous XKCD comic). It's easy to remember, easy to type, and extremely hard to crack. Four random common words give you roughly 44 bits of entropy — equivalent to a random 8-character password — but five or six words push you into practically uncrackable territory.

The Rules That Actually Matter

Never reuse passwords. This is the single most important rule. When a site gets breached (and they do, regularly), attackers try those leaked passwords on other sites. If you used the same password for your email and a random forum, and the forum gets hacked, your email is now compromised too.

Make every password at least 12 characters. 16+ is better. Length is your primary defense.

Use a password manager. You cannot realistically remember unique 16+ character passwords for 100+ accounts. A password manager (1Password, Bitwarden, KeePass) generates, stores, and fills them for you. You only need to remember one strong master password.

Enable two-factor authentication (2FA) everywhere it's offered, especially email, banking, and social media. Even if your password is compromised, 2FA stops the attacker.

What NOT to Do

Don't use personal information — names, birthdays, pet names, addresses. These are the first things attackers try. Don't use common substitutions like @ for a, 0 for o, 1 for l. Password crackers know all of these. Don't write passwords on sticky notes attached to your monitor. Don't share passwords via email or text. Don't use "security questions" with real answers — your mother's maiden name and the city you were born in are not secrets in the age of social media.

The ideal setup: A password manager with a strong master passphrase (5+ random words), generating unique 16+ character random passwords for every account, with 2FA enabled on all critical accounts. This takes 30 minutes to set up and protects you for life.
🔒
Try the Password Generator →
Generate strong, random passwords with custom rules