Security guide

How to Create a Strong Password

What makes a password strong isn't complex special characters but three things: length, randomness and uniqueness.

Length matters most

The single biggest factor in password strength is length. Every extra character multiplies the number of possible combinations by the size of the character set, so strength grows exponentially.

For online accounts, use at least 12 characters, and for important accounts like email and banking, 16 or more. With enough length, you can get away with slightly fewer special characters and still be safe.

Mix character types

Using uppercase, lowercase, numbers and symbols together enlarges the character pool at the same length, which raises the entropy.

  • Uppercase A–Z, lowercase a–z
  • Digits 0–9
  • Symbols ! @ # $ % ^ & *
  • If you'll be copying it by hand, exclude look-alikes like 0/O and 1/l/I

A different password for every site

If your password leaks in one place, attackers will try the same combination on other sites (credential stuffing). Using a completely different password on every site is the most effective defense.

Since it's impossible to memorize dozens of unique passwords, we recommend using a password manager alongside.

What to avoid

The following are vulnerable to guessing and cracking and should be avoided.

  • A single dictionary word, a name, a birthday or other personal info
  • Common values like password, 123456, qwerty
  • Keyboard-adjacent patterns like asdf, 1q2w3e
  • Reusing an old password with only the trailing number changed
Back to guides