Your Password Is Probably Terrible (Here's a Better One)
Why password123 isn't fooling anyone, and what actually makes a password strong.
Let's be honest. You've used "password123" somewhere. Or your dog's name. Or your birthday. Maybe you added an exclamation point at the end and felt clever about it.
Hackers have lists. Millions of common passwords, sorted by frequency. They try those first. "password123!" is on the list. So is "Fluffy2024" and "Jennifer1985" and whatever else you thought was unique.
What Makes a Password Strong
It's not complexity. It's randomness.
"Tr0ub4dor&3" looks strong—mixed case, numbers, symbols. But it's a modified word. Pattern-based. Crackable.
"mK8$zL2@nQ5&wR" looks like keyboard mashing. It's actually random. Much harder to crack.
The difference: one follows human patterns, one doesn't. Hackers know human patterns.
Length Beats Complexity
A 20-character password with just lowercase letters is stronger than an 8-character password with symbols.
Why? Math.
- 8 characters, full complexity (95 possible per character): 95^8 = 6.6 quadrillion combinations
- 20 characters, lowercase only (26 possible per character): 26^20 = 19 octillion combinations
The longer password has vastly more combinations, even with simpler characters.
That's why "correct horse battery staple" became famous. Four random words, easy to remember, hard to crack.
The Real Problem: Reuse
Using the same password everywhere is the actual security disaster.
One site gets breached. Your email and password leak. Hackers try that combo on every major service. If you used the same password, they're in.
This happens constantly. LinkedIn leaked. Adobe leaked. Dropbox leaked. If your password was in any of those breaches and you reused it, attackers have probably tried it elsewhere.
What Actually Works
Use a password manager. It generates random passwords, stores them securely, fills them automatically. You remember one master password. The manager handles the rest.
Make each password unique. Every site gets its own random password. One breach doesn't cascade.
Enable two-factor authentication. Even if someone gets your password, they need your phone too. Massive improvement for minimal effort.
Don't change passwords constantly. The old advice was "change every 90 days." This led to people using Password1, Password2, Password3. Worse than keeping a strong password longer.
For Passwords You Must Remember
Some passwords you can't store in a manager—your computer login, your password manager's master password.
For these, use a passphrase:
- Pick 4-5 random words (actually random, not a phrase that makes sense)
- Add a number or symbol somewhere
- Make it at least 20 characters
"correct horse battery staple" → "purple-table-window-coffee-89"
Random words, easy to type, easy to remember after a few uses, very hard to crack.
Check If You've Been Breached
Sites like "Have I Been Pwned" let you check if your email appeared in known data breaches. Worth checking periodically. If you show up, change passwords for any accounts using that email—especially if you reused passwords.
Password security isn't about making your life harder. It's about using the right tools—password generators, password managers, two-factor auth—so you can stop thinking about passwords entirely.
Generate something random, store it securely, forget it exists. That's the goal.