The importance of strong passwords

Passwords are still the front door to almost everything you do online. For all the talk of fingerprints and face scans, the humble password remains what stands between your accounts and whoever wants in. Getting them right is one of the highest-impact things you can do for your security — and it's easier than most people assume.

What actually makes a password strong

The old advice — a short jumble of symbols like P@$w0rd! — is outdated. What matters most is length. Every extra character multiplies the number of combinations an attacker has to try, far more than swapping letters for symbols does. A long, memorable passphrase made of several unrelated words is both stronger and easier to remember than a short, cryptic one.

• Go long. Aim for at least 12–16 characters; more is better.
• Avoid the personal stuff. Names, birthdays, pet names and favourite teams are the first things guessed.
• Avoid dictionary words on their own. Single real words — even with a number tacked on the end — fall quickly to automated attacks.
• Make it unpredictable. A randomly generated string is the strongest option of all, because there's no pattern to exploit.

The biggest mistake: reuse

If you take one thing from this guide, make it this: never reuse passwords across accounts. When a company suffers a breach, attackers take the leaked email-and-password pairs and try them automatically on hundreds of other sites — a tactic called credential stuffing. If you've used the same password in more than one place, a single breach quietly hands over all of those accounts at once.

How to manage them without memorising everything

Nobody can remember a unique, random password for every account — and you shouldn't try. There are two sensible approaches, and they work best together:

Generate a unique password for every account

A password generator creates strong, random passwords instantly, with no pattern for anyone to guess. Because the generator on this site runs in your browser, the password isn't sent anywhere — it's created on your device and stays there.

Store them in a password manager

A reputable password manager remembers them all behind one strong master password, so you only have to memorise one. It also makes using a different password everywhere effortless rather than exhausting. Options worth considering:

• Bitwarden — free, open-source, works on every device
• 1Password — paid, but generally the most polished
• iCloud Keychain / Google Password Manager — free and built into Apple devices and Chrome respectively
• NordPass — paid, from the NordVPN team, with a built-in breach scanner and password health reports (affiliate link)

Add a second layer with 2FA

Even a perfect password can leak. Two-factor authentication (2FA) means a stolen password alone isn't enough — a login also needs a code from your phone or an authenticator app. Turn it on wherever it's offered, especially for your email and anything tied to money. The 30 seconds it takes is the highest-return security step you can make.

Quick do and don't

• Do use long, unique passwords for every account.
• Do turn on 2FA for important accounts.
• Don't reuse passwords, or build them from personal details.
• Don't share passwords by email or message — and change any you suspect have leaked.

Frequently asked questions

How often should I change my passwords?

Modern guidance has moved away from forced regular changes, which tend to push people toward weaker, predictable variations. Use a strong unique password and change it promptly if a service is breached or you suspect it's been exposed.

Are generated passwords better than ones I make up?

Generally yes. Human-chosen passwords follow patterns attackers know well. A randomly generated password has no such pattern — the trade-off is you'll want a password manager to store it, since it won't be memorable.