How to Create Strong Passwords — A Practical Guide for Developers and Everyone Else
Most password advice you have seen is outdated. "Use at least 8 characters with an uppercase letter, a number, and a symbol" produces passwords like P@ssw0rd1 — which cracking tools defeat in seconds. Real password strength comes from two things: length and uniqueness. This guide explains why, walks through the choice between generated passwords and passphrases, and ends with a practical setup you can complete in an evening.
Length Beats Complexity Tricks
Password strength is a counting problem. An attacker who steals a database of password hashes runs guesses through the same hashing function until one matches. The only thing that slows them down is the number of possibilities they must try — and length grows that number exponentially, while complexity rules grow it only linearly.
Every extra character in a random password multiplies the search space by the size of the character pool. Adding symbols to an 8-character password roughly doubles the pool per position; adding four more random characters multiplies the total possibilities by tens of millions. That is why an all-lowercase 16-character random string is vastly harder to crack than an 8-character string packed with symbols:
8 chars, full 94-symbol pool: 94^8 ≈ 6.1 x 10^15 possibilities 16 chars, lowercase only: 26^16 ≈ 4.4 x 10^22 possibilities The "weaker looking" second password has ~7 million times more possibilities than the symbol-heavy short one.
This is also why NIST guidance now recommends allowing long passwords and dropping forced composition rules: complexity requirements push people toward predictable patterns (capital first letter, digit and symbol at the end) that attackers already model.
Why "P@ssw0rd1" Is Weak
P@ssw0rd1 passes almost every website's strength meter: uppercase, lowercase, digit, symbol, nine characters. It is still one of the first things a cracking rig will guess. Tools like Hashcat do not brute-force blindly — they start with dictionaries of leaked passwords and common words, then apply "mangling rules" that mirror exactly how humans decorate words:
- Leet substitutions — a→@, o→0, e→3, s→$ are rule number one in every cracking ruleset
- Capitalise the first letter — because that is what humans do to satisfy the uppercase requirement
- Append a digit or year — 1, 123, 2024, 2025 at the end
- Append a symbol — ! and @ account for the majority of trailing symbols in leaked datasets
A password based on a dictionary word plus predictable decoration has the effective strength of the word itself — a few thousand possibilities, not trillions. The pattern "Word + substitutions + digit" is checked so early that P@ssw0rd1 falls in well under a second on a single GPU.
Rule #1: Unique Password Per Site
Before strength, uniqueness. The most common way accounts get taken over is not cracking at all — it is credential stuffing: attackers take email/password pairs leaked from one breached site and replay them against hundreds of other sites. If you reuse a password, the security of every account drops to the security of the weakest site holding it.
A unique random password per site completely neutralises this attack. Even if a small forum you registered on in 2019 stores passwords in plain text and gets breached, the damage stops at that forum. This single habit does more for your security than any amount of cleverness in the password itself — which is why it comes first.
Generated Passwords vs Passphrases
There are two good ways to make a strong password, and they serve different jobs:
- Generated random passwords — e.g.
v9#Kq2$mZp7!xTf4. Maximum strength per character, impossible to guess, but also impossible to remember. Perfect for the hundreds of accounts a password manager fills for you. - Passphrases — e.g.
orbit-mango-lantern-drift-cactus. Several randomly chosen words. Longer, but memorable and easy to type. Perfect for the handful of secrets you must carry in your head: your password manager's master password, your laptop login, disk encryption.
The key word in both cases is randomly. A passphrase you compose yourself ("MyDogLovesCricket2024") draws from predictable personal facts and grammar. Words must come from dice rolls or a cryptographic random number generator to count. For the full comparison, see our post on passphrases vs random passwords.
MFA: The Multiplier
Multi-factor authentication (MFA) means an attacker who somehow gets your password still cannot log in without a second proof — a code from an authenticator app, a hardware key, or a device prompt. It turns a single point of failure into two independent ones.
- Best: hardware security keys (FIDO2/passkeys) — phishing-resistant by design
- Good: authenticator apps (TOTP) — codes generated on your device, nothing sent over the network
- Better than nothing: SMS codes — vulnerable to SIM-swap attacks, but still block bulk credential stuffing
Enable MFA at minimum on your email (the recovery hub for everything else), your password manager, banking, and any developer accounts with production access — GitHub, cloud consoles, npm.
A Practical Setup, Step by Step
- Pick a password manager (any reputable one — built-in browser managers are fine to start).
- Create a master passphrase of 5+ random words. Write it on paper and store it somewhere physically safe until it is memorised.
- Enable MFA on the manager itself and on your primary email account.
- Change your most important passwords first — email, banking, primary social, work — to unique generated 16+ character passwords.
- Fix the rest opportunistically: every time you log in somewhere, let the manager replace the old password with a generated one.
- Never reuse the master passphrase anywhere else, ever.
That is the whole system: one strong passphrase you remember, unique generated passwords for everything else, and MFA on the accounts that matter. It survives breaches, phishing lists, and cracking rigs — and it is less mental effort than trying to remember thirty "clever" variations of the same word.
Frequently Asked Questions
Length and unpredictability. A 16-character randomly generated password is far stronger than an 8-character password with symbol substitutions. Strength comes from how many possibilities an attacker must try, and length multiplies that number faster than any complexity trick.
No. Cracking tools try common words with predictable substitutions (a to @, o to 0, s to $) as one of their first moves. P@ssw0rd1 falls in seconds despite technically containing uppercase, lowercase, digits, and symbols.
For randomly generated passwords, 16 characters or more is a solid modern baseline. For memorable passphrases, use at least 5 randomly chosen words. Your master password can be a passphrase; everything else should be generated and stored in a password manager.