Why Most Passwords Are Terrible
The most commonly used passwords are still "123456", "password", "qwerty" and "abc123". These can be cracked in under a second. Even passwords that feel clever — like "P@ssw0rd!" or "Summer2025" — follow predictable patterns that attackers know to look for.
The real problem isn't just weak passwords — it's password reuse. When one service gets breached (and they do, regularly), attackers try those credentials on every other service. If you use the same password for your email and your bank, a breach at a random forum puts your bank account at risk.
What Makes a Password Strong?
Password strength comes down to entropy — how many possible combinations an attacker would need to try. Three factors increase entropy:
- Length — the single most important factor. Each extra character multiplies the possibilities exponentially
- Character variety — using uppercase, lowercase, numbers and symbols expands the character pool
- Randomness — truly random characters beat patterns, words and substitutions
| Password Type | Example | Time to Crack |
|---|---|---|
| 6 lowercase letters | abcdef | Instant |
| 8 mixed case + numbers | aB3dEf7h | ~1 hour |
| 12 all character types | kQ7#mP2&xL9! | ~34,000 years |
| 16 all character types | Rw4$nK8@vP2#bM6! | Billions of years |
| 4-word passphrase | correct-horse-battery-staple | ~550 years |
Generate Strong Passwords Instantly
Customisable length, character types, strength meter and bulk generation.
Open Password Generator →The Best Strategy: Password Manager + Random Passwords
The practical solution is to use a password manager (like Bitwarden, 1Password or Apple's built-in Keychain) combined with randomly generated passwords. Here's the approach:
- Create one very strong master password — a long passphrase you can memorise, like "purple-elephant-dances-on-saturn-42"
- Generate unique random passwords for everything else — 16+ characters, all character types
- Let the password manager remember them — you only need to remember the master password
- Enable two-factor authentication on every account that supports it
Passphrase Method
If you need to memorise a password (for your master password or a work login), use a passphrase: 4-6 random words strung together. "correct-horse-battery-staple" is famously strong despite being memorable. The key is that the words must be truly random — don't use phrases from songs, books or common sayings.
Common Mistakes to Avoid
- Predictable substitutions — "p@ssw0rd" isn't clever; attackers try these first
- Personal information — pet names, birthdays, streets can be found on social media
- Keyboard patterns — "qwerty", "zxcvbn", "1qaz2wsx" are all well-known
- Incrementing — "Password1", "Password2" is easily guessed if one version leaks
- Storing in plain text — never keep passwords in a note on your desktop or an unencrypted spreadsheet
Two-Factor Authentication
Even the strongest password can be phished or leaked in a breach. Two-factor authentication (2FA) adds a second layer: something you have (your phone) in addition to something you know (your password). Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS — SMS codes can be intercepted via SIM-swapping.
Generate Secure Passwords
Cryptographically random passwords with strength analysis. 100% client-side — nothing stored or transmitted.
Open Password Generator →