🔑 What Makes a Password Strong? A Simple Guide for Everyone

A strong password is your first line of defence against account takeovers. But what actually makes a password strong? The answer has changed in recent years as security standards have evolved. Here is what matters today.

Length Is the Most Important Factor

The single most important factor in password strength is length. Every additional character exponentially increases the number of possible combinations an attacker must try. A 12-character password has trillions more possible combinations than an 8-character password — making it practically impossible to crack through brute force within any reasonable timeframe.

Security standards including NIST SP 800-63B and the NCSC Cyber Aware guidance now recommend a minimum of 12 characters for passwords and passphrases. Eight-character passwords, while still common, are increasingly vulnerable to modern cracking hardware.

Use Passphrases Instead of Complex Passwords

Traditional password advice required a mix of uppercase letters, lowercase letters, numbers, and special characters — resulting in passwords like "P@ssw0rd1!" which are complex but still vulnerable to dictionary-based attacks. Modern guidance favours passphrases — sequences of random words separated by spaces or hyphens. For a reliable option, the best password generator online creates strong random passwords instantly in your browser.

Consider the difference:

• "P@ssw0rd1!" — 9 characters, complex but common pattern, vulnerable to dictionary attacks
• "blue-elephant-jumps-moon" — 26 characters, easy to remember, astronomically hard to crack

The passphrase approach, recommended by the NCSC and NIST, prioritises length over complexity. A passphrase is both more secure and easier to remember.

Avoid Common Patterns and Personal Information

Attackers do not guess passwords manually — they use automated tools that try billions of combinations per second. These tools start with the most common patterns:

• Sequential characters: "123456", "abcdef", "qwerty"
• Common substitutions: "P@ssw0rd", "letmein", "iloveyou"
• Personal information: Your name, birthdate, pet's name, favourite sports team — easily found on social media
• Keyboard patterns: "qwerty123", "asdfgh"

Even a long password is weak if it uses predictable patterns or personal information that can be guessed from your social media profile.

Uniqueness Is as Important as Strength

Even the strongest password is useless if you reuse it across multiple sites. When any one service suffers a data breach — and major breaches happen weekly — your reused password is exposed for every other account that shares it. Password managers solve this by generating and storing unique passwords for every site, so a breach of one account never affects the others.

Use our free password generator to create strong, unique passwords instantly.