Password Tips and Tricks
Practical advice for creating, storing, and managing strong passwords
10 Tips for Creating Better Passwords
Most people know that strong passwords are important, but knowing how to actually create them can be challenging. These practical tips will help you generate strong, memorable passwords that protect your accounts without causing unnecessary frustration.
Prioritize Length Over Complexity
Long passwords are exponentially more secure than short ones. A 16-character password using only lowercase letters is more secure than an 8-character password using all character types. Aim for at least 12 characters, and prefer 16 or more for sensitive accounts. Our password generator defaults to 16 characters for this reason.
Use Our Random Password Generator
Humans are terrible at creating randomness. We tend to choose words, patterns, and structures that attackers can easily predict. Using our password generator ensures that your passwords are truly random and unpredictable. Even if you create something that seems random to you, an attacker's password cracking tools will likely guess it.
Never Reuse Passwords Across Sites
This is the single most important tip after using strong passwords. If you reuse passwords and one site is breached, all your accounts using that password become vulnerable. It is not uncommon for attackers to test leaked passwords against dozens of popular services automatically. Each account deserves a unique password.
Consider Passphrases for Master Passwords
For the one password you need to remember — your password manager master password — consider using a passphrase: a sequence of random words that you can easily remember but is extremely long. Five or more random common words create a very strong password while remaining surprisingly memorable. Avoid using a sentence or meaningful phrase, as this reduces the randomness and security.
Do Not Include Personal Information
Never use names, birthdays, anniversaries, addresses, phone numbers, pet names, favorite sports teams, or any other information that could be found about you online. Attackers regularly collect this information from social media and public records to create targeted password guesses. Even combining personal information in creative ways is not secure against determined attackers.
Use All Four Character Types
For maximum security and to meet most website requirements, use uppercase letters, lowercase letters, numbers, and symbols in your passwords. Mixing these character types increases the possible combinations and makes brute force attacks significantly more difficult. Our password generator uses all four types by default, but you can customize this if a specific site has unusual requirements.
Avoid Obvious Patterns
Do not use keyboard patterns like "qwerty" or "asdfgh," sequential numbers like "12345," repeated characters like "aaaaaa," or simple substitutions like replacing "s" with "$" or "a" with "@". Attackers know these patterns and actively test for them. These tricks might fool a password strength meter but will not stop a serious attacker or automated cracking tools.
Use a Password Manager
The best way to manage strong, unique passwords for every site is to use a password manager. These tools generate strong random passwords (similar to our generator), store them in an encrypted database, and fill them in automatically when you visit websites. With a password manager, you only need to remember one strong master password. Modern password managers also sync across devices, making them convenient as well as secure.
Do Not Write Passwords Down Insecurely
If you absolutely must write down a password (such as a password manager master password), store it securely. A physical paper in a safe or locked drawer is reasonable if digital options are impossible. A sticky note on your monitor, a text file on your desktop without encryption, or a note in your phone labeled "passwords" are all unacceptable. Your password is only as secure as the place you store it.
Enable Two-Factor Authentication Everywhere
Even the strongest password in the world can be stolen through phishing, keyloggers, or data breaches. Two-factor authentication (2FA) provides an extra layer of security by requiring something additional to log in. Enable 2FA on your email, banking, and any other accounts that offer it. Preferably use an authenticator app or hardware security key rather than SMS text messages, which are less secure.
How to Create a Strong Password You Can Actually Remember
The challenge with strong passwords is often remembering them. While we recommend using a password manager for most passwords, there may be times when you need to remember a password manually (like your password manager's master password). Here are some approaches that balance security and memorability:
The Random Word Method
Choose five or more completely random words and string them together. For example: "blue octagon elephant quickly zebra". This creates a very long password that is surprisingly easy to visualize and remember. The key is that the words must be truly random — not a sentence or phrase that makes logical sense. You can also capitalize random letters or insert numbers and symbols between words for additional complexity.
The First Letter Method
Think of a sentence or phrase that only you would know, then use the first letter of each word. For example, "I first visited the New York Public Library when I was 12 years old!" could become "IfvtNYPLwIw12yo!". This creates a reasonably strong password that you can remember by recalling your original phrase. The main limitation is that if your sentence is predictable or personally identifiable, the resulting password could be weaker than a truly random password.
The Password Manager Method (Recommended)
Our recommended approach is to use a password manager for all account passwords and remember only one strong master password. Your master password should be very long (20+ characters), random or a random word passphrase, and never used anywhere else. All other passwords are generated by the password manager and filled in automatically. This gives you the strongest security while minimizing what you need to remember.
Password Recommendations by Account Type
Different accounts warrant different levels of security. Here is our guidance on password strength for various categories of online services:
Email Accounts
Your primary email account is the most important account you own, because it is typically the password recovery method for every other service. If your email is compromised, attackers can reset passwords for your bank, shopping sites, and everything else linked to that address. Use a very strong unique password (16+ characters, all character types), enable 2FA, and check login activity regularly.
Banking and Financial Accounts
Accounts with direct access to your money require maximum protection. Use a strong unique password (16+ characters), enable 2FA, and consider using a dedicated email address for financial accounts that you do not use anywhere else. Never share these passwords with anyone, and change them immediately if you suspect any compromise or receive notice of a data breach from your bank.
Work and Professional Accounts
Professional accounts often contain sensitive company information, customer data, or access to internal systems. Follow your organization's password policies, use unique strong passwords (12+ characters), and enable 2FA if available. Never use personal passwords for work accounts or vice versa. If your company provides a password manager, use it. Be especially careful not to access work accounts from unsecured devices or networks.
Social Media Accounts
Social media accounts may not have direct financial value, but they contain personal information and can be used to impersonate you or send phishing messages to your contacts. Use unique passwords (12+ characters) and consider enabling 2FA. Be especially careful about what information you post publicly, as attackers can use personal details from social media to guess security questions or personal information in passwords.
Shopping and E-commerce Accounts
Shopping accounts may store your shipping address and payment information, making them valuable targets. Use unique passwords (12+ characters) for each shopping site. Consider using virtual card numbers or a dedicated credit card for online shopping to limit potential damage if an account is compromised. Enable 2FA where available, and review purchase history periodically for any unauthorized activity.
Low-risk or Single-use Accounts
For accounts on sites you do not trust, forums you rarely visit, or services you only need to use once, you can use shorter passwords (8-12 characters) since the security risk is lower. However, they should still be unique and randomly generated to prevent password reuse attacks against your more important accounts. Using a password manager makes generating unique passwords of any length quick and effortless.
How to Check if Your Password Has Been Stolen
With billions of passwords leaked in data breaches over the years, there is a good chance that at least one of your passwords has appeared in a known breach. Thankfully, there are safe ways to check whether your passwords have been compromised without exposing them to additional risk.
Using "Have I Been Pwned"
"Have I Been Pwned" (haveibeenpwned.com) is a free service that maintains a database of known breached accounts. You can enter your email address to see whether it has appeared in any public data breaches. The site also offers a password checking feature that lets you check whether a specific password has appeared in known breaches. Importantly, the service uses a privacy-preserving technique called k-anonymity, meaning only a small part of your password is sent to their server, never the full password.
Built-in Password Manager Checks
Most modern password managers include a feature that automatically checks your saved passwords against known breaches and alerts you when a password has been compromised. These typically also identify weak passwords, reused passwords, and passwords that need updating. This is an easy way to maintain good password hygiene without having to manually check each password individually.
What to Do if Your Password Is Found in a Breach
If you discover that a password has been compromised, act promptly. Change the password for that account immediately using our password generator to create a new strong random password. If you have used that password anywhere else, change it on those accounts as well. Review the account for any unauthorized activity, such as unrecognized logins, changed email addresses, or unexpected settings. Enable or verify that 2FA is active on the account. Depending on the nature of the account and the breach, you may want to monitor related accounts more closely for a period of time.
Common Password Mistakes to Avoid
Even people who know better sometimes make avoidable password mistakes. Here are the most common issues and how to prevent them:
- Using variations of the same password: Changing "password2025" to "password2026" when forced to update is not a real change and will not protect you. Use completely different passwords.
- Sharing passwords through insecure channels: Never send a password through email, text message, or chat. If you must share a password, use a secure password sharing service that encrypts the message and auto-deletes it.
- Trusting password strength indicators: The "strong," "medium," and "weak" indicators on websites are rough guides at best. They do not check against known breached passwords. Use a randomly generated password and you do not need to worry about what the indicator says.
- Using password reset questions as secondary passwords: Many password reset questions ask for information that is publicly available or can be researched. Use fake answers (stored in your password manager) rather than real information that others could discover.
- Using passwords as a substitute for proper security: A strong password is essential but is only one part of online security. You also need antivirus protection, secure network practices, software updates, and vigilance against phishing and social engineering.
- Ignoring warning signs: If you receive unexpected password reset emails, see login alerts from unfamiliar locations, or notice any other suspicious activity, investigate and change passwords immediately. Do not ignore or delay responding to security alerts.
Creating a Password Security Routine
Good password security is not a single action but a set of habits. Building a simple routine will help you stay secure without spending excessive time on password management. Here is a suggested routine you can adapt to your needs:
Monthly: Quick Review
Once a month, spend about five minutes reviewing whether you have created any new accounts or passwords that need to be added to your password manager. Check your most important accounts (email, banking) for any unusual login activity. If your password manager identifies any weak or reused passwords, update those now.
Quarterly: Security Check
Every three months, run your email through a breach checking service to see if any new breaches have been reported. Verify that 2FA is still enabled on your most important accounts (some services have been known to silently disable it during system changes). Review any important accounts you have not logged into recently to ensure they are still secure.
Immediately After Any Breach Notice
If you receive notice of a data breach from a service you use, change that password immediately. If the breach affects any sensitive account, monitor that account closely for signs of unauthorized use. Even if the company says passwords were encrypted, change yours anyway — encryption is not always as strong as claimed, and many breaches expose hashed passwords that can be cracked with sufficient computing resources.
Annually: Security Audit
Once a year, do a more thorough review of your online security. Go through all accounts in your password manager and remove any you no longer use. Check whether any important accounts still lack 2FA and add it. Review connected apps and services on your main accounts and revoke access to anything you no longer use. Consider whether your email address itself has been exposed in any breaches and whether you need to set up a new primary email as a security measure.
Recommended Password Length by Security Level
While longer is always better, here are our practical minimum recommendations based on the security level needed:
- Low security (non-personal accounts, forums, throwaway sites): 8-12 characters, all four character types.
- Medium security (social media, shopping, general web services): 12-16 characters, all four character types.
- High security (email, work accounts, professional services): 16-20 characters, all four character types, plus 2FA.
- Maximum security (banking, cryptocurrency, password manager master): 20+ characters, all four character types, plus 2FA.
Remember that these are minimum recommendations. Our password generator defaults to 16 characters, which is a good balance of security and convenience for most accounts. The generator supports up to 64 characters for situations requiring maximum security.
Final Reminders
Good password security does not require extraordinary effort — it requires consistent attention to a few fundamental practices. To summarize everything on this page:
- Use our secure random password generator for all your account passwords.
- Use a unique password for every single account and service.
- Use a password manager to store and manage your passwords.
- Enable two-factor authentication on your most important accounts.
- Be vigilant against phishing attempts and suspicious emails.
- Keep your devices and software updated with the latest security patches.
- Check periodically whether your email or passwords have appeared in data breaches.
- Change passwords promptly when a service reports a breach or if you suspect compromise.
Following these practices dramatically reduces the risk of your accounts being compromised. Visit our home page anytime you need to generate a new secure password, and explore our other pages for more detailed security guidance.