Why Password Strength Matters
Most account breaches don't involve sophisticated hacking — they exploit weak, reused, or previously leaked passwords. A strong password is one of the simplest and most effective security measures available, and it costs nothing.
What Makes a Password Weak?
Common password mistakes that leave accounts vulnerable:
- Using obvious words or phrases: password, letmein, qwerty, 123456
- Using personal information: birthdays, pet names, addresses
- Short passwords — anything under 12 characters is significantly easier to crack
- Reusing the same password across multiple sites
- Making simple substitutions: p@ssw0rd is not meaningfully stronger than password to a modern attack
Step 1: Understand What Makes a Password Strong
A strong password should be:
- Long: at least 12–16 characters; longer is better
- Random: no recognisable words, names, or patterns
- Complex: a mix of uppercase, lowercase, numbers, and symbols
- Unique: used on only one account
Step 2: Use a Passphrase Approach
Random characters are strong but hard to remember. A practical alternative is the passphrase: a string of random, unrelated words strung together.
For example: carpet-thunder-lemon-42-voyage
This is long, memorable, and far harder to crack than a short complex password. The key is that the words must be genuinely random — not a familiar phrase or song lyric.
Step 3: Use a Password Manager
The biggest barrier to good password habits is having to remember everything. A password manager solves this by:
- Generating long, random, unique passwords for every site
- Storing them securely in an encrypted vault
- Autofilling them when you log in
- Alerting you if a stored password appears in a known data breach
With a password manager, you only need to remember one strong master password. Several reputable options are available as free tiers, with paid upgrades for additional features.
Step 4: Enable Two-Factor Authentication (2FA)
Even the strongest password can be leaked in a data breach. Two-factor authentication adds a second layer: even if someone has your password, they also need access to your phone or email to log in.
- Go to the security settings of the account you want to protect
- Look for "Two-Factor Authentication," "2-Step Verification," or similar
- Choose an authentication method — an authenticator app is more secure than SMS
- Follow the setup steps and save any backup codes in a safe place
Step 5: Audit and Update Old Passwords
If you've been online for years, you likely have old accounts with weak or reused passwords. Prioritise updating passwords for:
- Email accounts (these are the master key to everything else)
- Banking and financial services
- Social media accounts
- Any service that stores payment information
- Accounts linked to your email address for login
Quick Reference: Password Checklist
| Criteria | Target |
|---|---|
| Minimum length | 12+ characters (16+ preferred) |
| Character variety | Upper, lower, numbers, symbols |
| Uniqueness | Different for every account |
| 2FA enabled | Yes, especially for email and banking |
| Stored in manager | Yes — avoid browser-only storage |
The Takeaway
Good password hygiene takes about an afternoon to set up properly and a few minutes to maintain. Installing a password manager and enabling 2FA on your most important accounts gives you a level of protection that stops the vast majority of account takeover attempts.