What Actually Makes a Strong Password?
Most of what you were taught about passwords is wrong. Capital letter at the start, number at the end, swap an "o" for a "0", change it every 90 days — all of this advice is outdated and, in some cases, actively makes your passwords weaker.
Modern password security has been settled by actual research. Here's what matters, what doesn't, and what you should stop doing immediately.
The Three Rules That Actually Matter
- 01 Make it long. Really long. Every character you add multiplies the number of possible combinations exponentially. Going from 8 to 16 characters doesn't make your password twice as strong — it makes it billions of times stronger. Aim for at least 16 characters. 20 is better. The math is overwhelmingly in your favor once you cross the 15-character mark. See our crack time table for the exact numbers.
- 02 Make it random. Actually random. Not "random" as in you mashed the keyboard. Not "random" as in you picked a word and swapped some letters. Cryptographically random — generated by a computer using a secure random number generator. Humans are terrible at randomness. We follow patterns without realizing it, and attackers know every single one of those patterns.
- 03 Never reuse it. Ever. Even the strongest password in the world becomes worthless the moment you use it on two different sites. When one site gets breached (and it will — breaches happen constantly), attackers try those credentials on every other site. This is called credential stuffing, and it's one of the most common attack methods. Every account gets its own unique password, no exceptions.
That's it. Three rules. Everything else is noise.
Good Passwords vs. Bad Passwords
These stink
Password123!
Summer2025
Fluffy@2024
qwerty!@#$
iloveyou99
C0mpl3x!Pwd
These don't
kX9#mP2$vL7@nQ4&wR8
Bn3)yK8&zQ5!hV2@mW9
correct-horse-battery-staple
7Fj$kW2#nR9&pL4!xM6
umbrella-quantum-fossil-knelt
vN5@hY3!cT8&jQ1#wF6
Notice something? Every "bad" password looks like something a human came up with. That's the problem. "C0mpl3x!Pwd" feels secure because it has uppercase, lowercase, numbers, and symbols. But an attacker's dictionary already includes common letter-to-number substitutions. That password might as well be "ComplexPwd" — and that falls to a dictionary attack in seconds.
The good passwords have no patterns to exploit. They're either long random character strings or long random word combinations (passphrases). The only way to crack them is brute force — and at 16+ characters, brute force takes longer than the age of the universe.
Let the dog pick your password. He's better at it than you.
Generate a Strong Password →Myths That Need to Die
"You should change your password every 90 days."
NIST explicitly recommends against mandatory password rotation. Why? Because when people are forced to change passwords on a schedule, they create weaker ones — incrementing a number at the end, swapping one character, or cycling through a small set of memorized passwords. Change a password only when there's evidence it's been compromised.
"Replacing letters with numbers (p@$$w0rd) makes it strong."
Attackers have known about leet speak since the 1990s. Every password cracking tool automatically tries common substitutions — "a" → "@", "o" → "0", "e" → "3", "s" → "$". These tricks add almost zero security against modern attacks. They just make passwords harder for you to type.
"A mix of character types is more important than length."
Length wins every time. A 15-character lowercase-only password (over a billion years to crack) is dramatically more secure than an 8-character password with every character type (about 11,000 years). Complexity helps at any given length, but it's a multiplier — not a substitute for actual characters. See the full crack time breakdown.
"A password manager is the only practical way to handle this."
Nobody can memorize 50+ unique 16-character random passwords. You're not supposed to. Use a password manager to generate and store them. You memorize one strong master password, and the manager handles everything else. This is what security professionals actually do.
What NIST Actually Says (2024 Guidelines)
NIST — the U.S. National Institute of Standards and Technology — sets the password guidelines that most of the tech industry follows. Their latest recommendations in Special Publication 800-63B are clear:
The shift away from "complexity rules" (must include uppercase, number, symbol) toward "just make it long and random" reflects years of research showing that composition rules lead people to create predictable passwords that meet the rules in the laziest way possible. "Password1!" technically passes most complexity requirements. It's also in every attacker's dictionary.
The Practical Playbook
Here's what to actually do, in order of priority:
Step 1: Get a password manager. Bitwarden is free and open-source. 1Password and Dashlane are solid paid options. Pick one and install it on all your devices. This is the single most impactful thing you can do for your security.
Step 2: Secure your most critical accounts first. Your primary email (attackers use this to reset everything else), your bank, and any account that has your financial information. Generate new 16+ character random passwords for these and store them in your manager.
Step 3: Enable multi-factor authentication (MFA) everywhere. Even a perfect password can be exposed in a server-side breach. MFA means an attacker needs both your password and physical access to your second factor (usually your phone). Use an authenticator app over SMS when possible — SIM swapping attacks can compromise SMS codes.
Step 4: Gradually migrate everything else. As you log into other accounts over the coming weeks, update each one to a unique generated password. Don't try to do them all at once — you'll burn out and give up.
Start with one password. Right now.
Click the Dog →FAQ
What makes a password strong?
Three things: length (at least 15-16 characters), randomness (no dictionary words, names, or predictable patterns), and uniqueness (never reused across accounts). Of these, length is the single most important factor.
Is a longer password better than a complex one?
Yes. Length creates exponential growth in possible combinations, while adding character types is only a linear multiplier. A 15-character lowercase-only password is vastly more secure than an 8-character password with every character type. But the strongest approach uses both — long and complex, which is what a password generator gives you automatically.
Should I use a password generator?
Absolutely. Humans unconsciously follow patterns when creating passwords — we pick real words, use predictable substitutions, and gravitate toward keyboard patterns. Attackers know all of these habits. A cryptographically secure password generator like password.dog produces passwords with no exploitable patterns, making brute force the only viable attack.
How often should I change my password?
Only when you have reason to believe it's been compromised — like a data breach notification from a service you use. NIST specifically recommends against routine password changes because forced rotation leads people to create weaker, more predictable passwords. A strong random password doesn't become weaker over time.
Are passphrases better than random characters?
A passphrase like "correct-horse-battery-staple" (four random words) is excellent — it's long, has no personal meaning to exploit, and is easier to type than a random character string. The key word is random. The words need to be randomly chosen, not a phrase that means something to you. Both approaches work well at sufficient length.
Protect yourself beyond passwords: Use a password manager to store unique passwords for every account, and a VPN to encrypt your connection on public networks.