What makes a password strong?

A strong password has high entropy (randomness). Key factors: length (16+ characters recommended), character variety (uppercase, lowercase, numbers, symbols), and unpredictability (no dictionary words, patterns, or personal info). A random 20-character password is stronger than a complex 8-character one.

Should I use a password manager?

Yes, absolutely. Password managers let you have unique, random, strong passwords for every account without memorizing them. The alternative - reusing passwords or using weak ones - is far more dangerous than the small risk of a password manager breach.

Is two-factor authentication necessary?

Yes, 2FA is essential for important accounts. It means even if your password is stolen, attackers can't access your account without the second factor. Use authenticator apps (TOTP) or hardware keys (best). Avoid SMS-based 2FA when possible due to SIM-swapping attacks.

Are passphrases better than passwords?

Yes, passphrases (4-6 random words) are often better. 'correct horse battery staple' has ~44 bits of entropy and is easier to remember than 'Tr0ub4dor&3'. The key is randomness - don't pick words yourself. Use a passphrase generator with a large wordlist.

Password Security Guide: Create Strong Passwords & Protect Your Accounts

Q: How often should I change my passwords?

Modern guidance says: don't change passwords on a schedule. Change them only when: (1) you suspect compromise, (2) a service reports a breach, or (3) you've shared it. Forced periodic changes lead to weaker passwords (Password1, Password2...).

1. Why Password Security Matters

Passwords are the keys to your digital life. A single compromised password can lead to:

Identity theft: Access to email enables password resets for other accounts
Financial loss: Banking, PayPal, crypto wallets compromised
Reputation damage: Social media hijacking, impersonation
Data breaches: Work accounts expose company data
Cascading failures: One breach leads to many via password reuse

🚨 Alarming Statistics

81% of data breaches involve weak or stolen passwords
The average person has 100+ online accounts
65% of people reuse passwords across accounts
23 million accounts still use "123456" as password

2. Anatomy of a Strong Password

1 Length (Most Important)

Minimum 12 characters, ideally 16+. Each additional character exponentially increases security. A 20-character password is astronomically stronger than an 8-character one.

2 Character Variety

Use all character types: uppercase (A-Z), lowercase (a-z), numbers (0-9), and symbols (!@#$%^&*). More variety = larger character pool = more combinations.

3 Randomness

Truly random, not based on dictionary words, patterns, or personal info. "P@ssw0rd!" is NOT random - attackers know these substitutions.

4 Uniqueness

Every account needs a unique password. If one is breached, others remain safe. This is why password managers are essential.

Password Strength Examples:

Password	Strength	Time to Crack
password	💀 Terrible	Instant
P@ssw0rd!	⚠️ Weak	Minutes (in wordlists)
MyD0g$Nam3Rex	😐 Moderate	Days to weeks
j7#Kp9$mL2@nQ4&w	✅ Strong	Centuries
correct horse battery staple	✅ Strong	Centuries (if random words)

3. Understanding Password Entropy

Entropy measures the randomness (unpredictability) of a password in bits. Higher entropy = harder to guess. It's the true measure of password strength.

Entropy Formula:


                            Entropy = log₂(pool_size^length) = length × log₂(pool_size)

Where pool_size = number of possible characters

Character Pool Sizes:

Lowercase only (a-z): 26 characters → 4.7 bits per character
+ Uppercase (A-Z): 52 characters → 5.7 bits per character
+ Numbers (0-9): 62 characters → 5.95 bits per character
+ Symbols (~33): 95 characters → 6.57 bits per character

Entropy Examples:

Password Type	Length	Entropy	Rating
4-digit PIN	4	~13 bits	Very weak
6 lowercase letters	6	~28 bits	Weak
8 mixed characters	8	~52 bits	Moderate
12 mixed + symbols	12	~79 bits	Strong
4-word passphrase	~20	~44-77 bits	Strong
16 random all chars	16	~105 bits	Very strong

💡 Target Entropy

Minimum: 50+ bits for everyday accounts
Recommended: 70+ bits for important accounts
Critical: 100+ bits for master passwords, encryption keys

4. Common Password Attacks

HIGH Credential Stuffing

Using leaked username/password pairs from one breach to access other sites. Works because people reuse passwords.

Defense: Unique password for every account

HIGH Dictionary Attack

Trying common words, phrases, and known passwords from breach databases. "password123" is tried within milliseconds.

Defense: Random characters, not words

MED Brute Force

Systematically trying every possible combination. Defeated by length - 10 characters takes 1000x longer than 8.

Defense: Long passwords (16+ chars)

MED Rainbow Tables

Precomputed tables mapping hashes to passwords. Fast lookups instead of computation.

Defense: Services must use salted hashes (bcrypt/Argon2)

SOCIAL Phishing

Fake login pages that steal credentials. Even strong passwords are useless if you type them into a fake site.

Defense: Check URLs, use password manager autofill (won't fill fake sites), 2FA

SOCIAL Social Engineering

Tricking people into revealing passwords through manipulation, impersonation, or fake tech support.

Defense: Never share passwords, verify requests through official channels

5. Password Managers

🔐 Password managers are essential

They solve the impossible problem: having a unique, random, strong password for every account while only remembering one master password.

How Password Managers Work:

Generate strong, unique passwords for each account
Store all passwords in an encrypted vault
Vault is encrypted with your master password (never stored)
Autofill credentials on websites and apps
Sync across devices securely

Popular Password Managers:

Manager	Type	Free Tier	Best For
1Password	Cloud	Trial only	Families, teams
Bitwarden	Cloud / Self-host	Yes, generous	Budget, self-hosters
Dashlane	Cloud	Limited	VPN included
KeePassXC	Local file	100% free	Privacy maximalists

Master Password Requirements:

Your master password is the only one you need to remember. Make it strong:

At least 16 characters (ideally 20+)
Use a memorable passphrase: "correct-horse-battery-staple-42!"
Never reuse it anywhere else
Consider writing it down and storing securely (safety deposit box)

6. Two-Factor Authentication (2FA)

2FA adds a second layer of security. Even if your password is stolen, attackers can't access your account without the second factor.

Types of 2FA (Best to Worst):

🏆 Hardware Security Keys (Best)

Physical devices (YubiKey, Google Titan). Phishing-resistant, can't be remotely compromised. Use for critical accounts.

✅ Authenticator Apps (Good)

TOTP apps (Google Authenticator, Authy, 1Password). Time-based codes that change every 30 seconds. Much better than SMS.

⚠️ SMS/Text Messages (Acceptable)

Better than nothing, but vulnerable to SIM-swapping attacks where attackers take over your phone number. Avoid for high-value accounts.

❌ Email-based (Weak)

If attackers have your password, they might have your email too. Creates a single point of failure.

Enable 2FA on These First:

Email accounts - Gateway to all other password resets
Password manager - Keys to the kingdom
Banking & financial - Direct financial impact
Social media - Reputation and identity
Cloud storage - Sensitive documents

7. Passphrases vs Passwords

A passphrase is a password made of multiple random words. They can be more secure AND easier to remember than complex passwords.

Traditional Password

Tr0ub4dor&3

Hard to remember
~28 bits entropy
Commonly in wordlists

Passphrase

correct horse battery staple

Easy to remember
~44 bits entropy
Much harder to crack

Passphrase Best Practices:

Use 4-6 random words from a large wordlist (7000+ words)
Don't pick words yourself - Use a generator (humans are bad at random)
Add variations for more entropy: numbers, capitals, separators
Never use famous phrases: song lyrics, book quotes, etc.

Passphrase Entropy by Word Count:

Words	Entropy (7776-word list)	Time to Crack
3 words	~39 bits	Weeks
4 words	~52 bits	Years
5 words	~65 bits	Centuries
6 words	~78 bits	Millennia

8. Storing Passwords (For Developers)

🔴 Never Store Plaintext Passwords

This seems obvious but still happens. LinkedIn (2012), Adobe (2013), and many others leaked plaintext or weakly encrypted passwords.

Password Storage Hierarchy:

Argon2id - Winner of Password Hashing Competition, memory-hard
bcrypt - Battle-tested, widely available, CPU-hard
scrypt - Memory-hard, good alternative
PBKDF2 - Acceptable for compliance, configure high iterations
❌ SHA-256/MD5 - Never use for passwords (too fast)

Implementation Example (Node.js):

const bcrypt = require('bcrypt');

// Hash a password (during registration)
async function hashPassword(plaintext) {
    const saltRounds = 12; // Cost factor - higher = slower = more secure
    return await bcrypt.hash(plaintext, saltRounds);
}

// Verify a password (during login)
async function verifyPassword(plaintext, hash) {
    return await bcrypt.compare(plaintext, hash);
}

// Usage
const hash = await hashPassword('user-password');
// Store hash in database: $2b$12$LQv3c1yqBW...

const isValid = await verifyPassword('user-password', hash);
// Returns true if password matches

See our Hash Functions Guide for detailed information on password hashing algorithms.

9. Password Security Checklist

10. Frequently Asked Questions

How often should I change my passwords?

Modern guidance: Don't change on a schedule. NIST now recommends against periodic password changes. Change only when: (1) you suspect compromise, (2) a service reports a breach, (3) you've shared the password, or (4) it's weak and needs strengthening. Forced periodic changes lead to predictable patterns (Password1, Password2...).

Is it safe to write down passwords?

It depends. Writing down passwords and storing them securely (locked drawer, safe, safety deposit box) is better than using weak passwords or reusing them. For your master password, writing it down as a backup is reasonable. Never put it on a sticky note on your monitor or in an unencrypted file.

What if I forget my master password?

This is serious - password managers are designed so that even they can't access your vault. Preventive measures: (1) Use a memorable passphrase, (2) Write it down and store securely, (3) Set up emergency access with a trusted person, (4) Some managers offer recovery keys - store these safely. If you forget with no backup, you may need to reset all your accounts.

Are password managers safe if they get hacked?

Password managers use zero-knowledge architecture - your vault is encrypted locally before syncing. If they're breached, attackers get encrypted data they can't decrypt without your master password. With a strong master password (16+ chars), brute-forcing is impractical. The LastPass breach (2022) showed this: even with vault data stolen, accounts with strong master passwords remained safe.

Is biometric authentication (fingerprint/face) secure?

Biometrics are convenient but have limitations: (1) Can't be changed if compromised, (2) Can be coerced (forced unlock), (3) May be bypassed with photos/molds. Best practice: Use biometrics for convenience + a strong PIN/password as backup. For high-security scenarios, prefer passwords or hardware keys. Biometrics are "something you are" - good for identification, less ideal as sole authentication.

Should I use "Sign in with Google/Facebook"?

It depends on your threat model. Pros: One less password to manage, provider security is likely better than most sites. Cons: Creates a single point of failure (lose Google = lose everything), provider can track your logins, account termination locks you out everywhere. If you use SSO, make that account extremely secure with 2FA and a strong unique password.

What are passkeys and should I use them?

Yes, passkeys are the future. They replace passwords with cryptographic key pairs stored on your device. Benefits: Phishing-resistant (keys are domain-bound), no password to steal, backed by device security. Downsides: Still new, not universally supported, recovery can be complex. Enable passkeys where available, especially for important accounts. They're more secure than passwords + 2FA.

How do I know if my password has been leaked?

Use haveibeenpwned.com to check if your email or passwords appear in known breaches. Many password managers also integrate breach monitoring and alert you if stored passwords are found in leaks. If a password is compromised, change it immediately and any other accounts using the same password.

What's the most secure 2FA method?

Ranking from best to acceptable:
1. Hardware security keys (YubiKey, Titan) - Phishing-proof
2. Authenticator apps (Authy, Google Auth) - Good protection
3. Push notifications (Duo, MS Authenticator) - Convenient, some phishing risk
4. SMS codes - Vulnerable to SIM-swapping, but better than nothing

Can quantum computers break my passwords?

Not directly, and not yet. Quantum computers threaten asymmetric encryption (RSA, ECC) used in HTTPS and digital signatures. Password hashing (bcrypt, Argon2) uses symmetric operations that quantum computers only speed up by ~√n (Grover's algorithm). A 256-bit secure hash would require 128-bit quantum work - still impractical. Focus on today's threats: weak passwords, reuse, and phishing.

Table of Contents