Why Most Password Advice Fails You
Security experts have long told us to use long, complex, random passwords — but almost nobody does it naturally. The result? People reuse simple passwords across dozens of sites, creating a single point of failure that hackers love. The good news: strong passwords don't have to be impossible to remember.
What Makes a Password "Strong"?
Before diving into techniques, it helps to understand what attackers actually do. Most password cracking uses one of two methods:
- Dictionary attacks: Trying common words, phrases, and known passwords.
- Brute force: Systematically trying every possible character combination.
A strong password resists both. The key factors are length, unpredictability, and uniqueness (never reused across sites).
The Passphrase Method
One of the most effective and memorable approaches is using a passphrase — a sequence of random, unrelated words strung together. For example:
correct-horse-battery-staple
This technique, popularized by cryptographer Bruce Schneier and the comic xkcd, produces passwords that are both long and memorable. Here's why it works:
- Length alone adds enormous mathematical complexity.
- Random word combinations are hard to guess even with sophisticated tools.
- They're far easier for humans to recall than
X#9kL!2mP.
Aim for 4–6 randomly chosen words. You can use a dice-based word list (called Diceware) to ensure true randomness.
The Sentence Method
Another approach: take a sentence meaningful only to you and convert it into a password using the first letters of each word, mixed with numbers and symbols.
Example sentence: "My dog Bruno turned 5 in March and loves fetch!"
Password: MdBt5iMalf!
This produces a password that looks random but has a personal memory anchor.
Rules to Follow for Every Password
- Minimum 12 characters — longer is always better.
- Never reuse passwords — each account must have its own.
- Avoid personal info — no birthdays, names, or pet names.
- Don't use keyboard patterns — "qwerty" or "123456" are the first things attackers try.
- Skip predictable substitutions — replacing "o" with "0" or "a" with "@" is well-known to attackers.
Should You Use a Password Manager?
Honestly — yes. The passphrase and sentence methods are great for a handful of critical accounts (like your email or device login), but most people manage dozens or hundreds of accounts. That's where a password manager comes in: it generates and stores truly random, unique passwords for every site, so you only need to remember one strong master password.
Quick Reference: Password Strength Comparison
| Password | Type | Estimated Strength |
|---|---|---|
| password123 | Common word + numbers | Very Weak |
| P@ssw0rd! | Predictable substitution | Weak |
| Xk9#mL2p | Random, short (8 chars) | Moderate |
| correct-horse-battery-staple | Passphrase (4 words) | Strong |
| Random 20-char manager-generated | Password manager output | Very Strong |
The Bottom Line
Strong passwords are a foundation of digital security. Use passphrases for accounts you need to type manually, and let a password manager handle everything else. The goal isn't perfection — it's making yourself a much harder target than average.