How to Create Strong Passwords
A strong password is your first line of defence against unauthorised access to your accounts. This guide covers the key principles, from choosing the right length to using a password manager alongside multi-factor authentication.
Length beats complexity
A 16-character password made from random lowercase letters is harder to crack than an 8-character password stuffed with symbols. Every extra character multiplies the number of possible combinations an attacker must try. Aim for at least 14 characters, and longer if the service allows it.
Make every password unique
Reusing a password across multiple sites means that a single breach can compromise all of them. If your email password is the same as your banking password, an attacker who obtains one has both. Treat every account as independent and give each one its own credential.
Use a password manager
Nobody can remember dozens of long, random passwords. A password manager stores them in an encrypted vault so you only need to remember one strong master password. Most managers also generate passwords for you, removing guesswork entirely. See our password managers guide for setup advice.
Add multi-factor authentication
Even a strong password can be exposed through phishing or a data breach. Multi-factor authentication (MFA) adds a second check, usually a time-based code from an app on your phone, so a stolen password alone is not enough. Enable MFA on every account that supports it, starting with email. Read more in our MFA guide.
Avoid personal information
Birthdays, pet names, favourite football teams, and postcodes are all easy for attackers to research through social media. A truly strong password contains no personally identifiable information at all. Let a generator produce something random instead.
Frequently asked questions
How long should my password be?
At least 14 characters for important accounts. Longer is better. Many security professionals now recommend 16 or more characters when a service permits it.
Do I really need special characters?
They help, but length matters more. A 20-character password using only letters is generally stronger than an 8-character password with symbols and numbers.
How often should I change my passwords?
Only when you have reason to believe one has been compromised. Frequent forced changes tend to encourage weaker passwords. Focus on making each password strong and unique from the start.