Passwords

What makes a password "strong"?

People often use confusing language when talking about password strength. Let’s clear that up. A "strong" password (or a passphrase) is long, unique, and randomly generated.

1. Long: Length matters a great deal. Your passwords should be at least 16 characters long. A long password dramatically increases the cost of guessing or cracking it, even if an attacker has access to modern hardware.

2. Unique: Each account should have its own password. You should never reuse passwords. When you reuse a password across sites, a single compromise can unlock multiple accounts. Attackers might get a password by hacking a site, but far more often they get it through scams, such as tricking someone into signing in to a fake website. Password reuse is one of the most common reasons people lose control of their accounts.

3. Randomly generated: Humans are very bad at creating unpredictable secrets. Password managers are very good at it. They generate passwords without patterns, which removes the shortcuts attackers rely on.

Didn’t password rules used to be different?

Yes! For many years, most advice focused on “composition rules” (sometimes called “complexity”) such as requiring uppercase letters, numbers, symbols, and frequent password changes. In practice, this backfired. People responded by creating predictable patterns, reusing passwords, or making small, easy-to-guess changes.

What is the current best practice?

Modern guidance, including NIST’s Digital Identity Guidelines, reflects what we have learned from real-world failures. It emphasizes that online services should allow long passwords or passphrases, should avoid forced periodic password changes unless there is evidence of compromise, and should encourage the use of password managers.

What should I do in practice?

Set up a reputable password manager (see resources like Consumer Report’s Security Planner to pick one) and let it generate strong passwords for every site and service.

Note: Make sure you create a very strong passphrase for the password manager’s vault password. You can even use real words! This is the one password that protects all of your others, so it deserves extra care! Sites like these can help you create a strong passphrase:

• https://www.useapassphrase.com/

• https://1password.com/password-generator

• https://bitwarden.com/password-generator/

• https://proton.me/pass/passphrase-generator

For most people, it is reasonable to write this passphrase down temporarily and keep it in a safe place, such as your wallet, until you have memorized it.

Be sure to enroll in your password manager’s multi-factor authentication.

Most modern password managers also include tools that scan your saved passwords and assess their strength. Use these tools to fix weak passwords and eliminate passwords that are reused across sites. Set a reminder to review this at least quarterly. Using a recurring calendar reminder can make this an easy habit to keep.

Of course each site may implement different standards for your passwords (like mandating password “complexity”), and may require you to change your password from time to time, so you may need to adjust your passwords accordingly. 

Bonus!

Here is an often overlooked benefit of using a password manager: It can significantly reduce the chances that you accidentally give your password to a scammer during a phishing attack.

This may sound surprising, so let’s break it down in plain language. A password manager keeps a secure list of the websites you use, along with your username and password for each one. When you visit a real website, such as your bank or email provider, the password manager recognizes the site and offers to fill in your login information.

If you are tricked into visiting a fake or impostor website, the password manager cannot find a match. Because the website address does not exactly match what is stored, the password manager will refuse to fill in anything. The impostor website will look exactly like the real website to you, a human. But the software is not fooled! This is a strong warning sign that something is wrong.

There is an additional layer of protection. When you use long, unique, randomly generated passwords, you usually do not know the password yourself. That makes it much harder to give it away, even if a scammer asks. You simply cannot type in a password you do not know!

Multi-factor authentication is still very important and should always be enabled when available. But when a password manager is used correctly, many phishing attacks are stopped before you ever reach the point where MFA is needed. Taking advantage of both layers of protection is a double win.