How to Create a Strong Password

Why Password Security Matters More Than Ever

Data breaches have become routine. Every year, billions of credentials are exposed through hacks, phishing attacks, and corporate security failures. The website haveibeenpwned.com tracks publicly known data breaches and has catalogued over 13 billion compromised accounts. The question is no longer whether your data has been exposed — it is whether your passwords are strong enough that the exposure does not matter.

Most people reuse passwords across multiple accounts. When one site is breached and credentials are exposed, attackers automatically try those same credentials across other services — a technique called credential stuffing. If your email and password for a breached site are the same as your banking credentials, the consequences can be severe. Strong, unique passwords for each account are the single most effective defence against this.

What Makes a Password Strong?

A strong password has two essential properties: length and randomness. Length is the more important of the two. A longer password takes exponentially more time to crack by brute force — trying every possible combination. A 12-character password using only lowercase letters has 26¹² possible combinations. A 16-character password has 26¹⁶ — roughly 40,000 times more combinations to try.

Adding character types — uppercase letters, numbers, and symbols — further increases the search space. A 16-character password using all four character types has an astronomical number of possible combinations. Even the most powerful password-cracking hardware would take thousands of years to work through them all.

Randomness is equally important. "Password123!" has all four character types and is 12 characters long — but it is one of the most commonly used passwords in the world and would be cracked in seconds because it follows a predictable pattern. True randomness means the characters should bear no relationship to each other, to words in any language, or to personal information like dates, names, or addresses.

How Long Should a Password Be in 2026?

Security guidance has evolved significantly in recent years. The UK's National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) both now recommend prioritising length over complexity. Their current guidance:

For most online accounts, a minimum of 12 characters is considered acceptable in 2026, but 16 characters is a stronger target. For high-value accounts — email, banking, cloud storage, password managers — 20 characters or more provides substantially better protection. The reason for the upward trend is that hardware for cracking passwords has become faster and cheaper. A password length that provided adequate security in 2018 may be crackable within hours today.

The use of passphrases — sequences of random words such as "correct-horse-battery-staple" — is an increasingly recommended alternative to character-based passwords. A four-word random passphrase is typically over 25 characters long, highly resistant to brute force attacks, and easier to remember than a string of random characters. This approach works particularly well for passwords you need to type rather than paste.

Common Password Mistakes to Avoid

Using personal information is one of the most common and dangerous mistakes. Names of family members, pets, birthdays, and home towns are frequently used in passwords and are often discoverable through social media. Attackers use personalised wordlists built from publicly available information about their targets — a technique called a dictionary attack.

Using the same password across multiple accounts multiplies the damage of any single breach. Even if your passwords are otherwise strong, reuse means that one compromised site creates a domino effect across your entire digital life. Every account — especially email, banking, and social media — should have a unique password.

Simple substitutions such as replacing letters with numbers (p4ssw0rd) or adding a number or symbol at the end (password1!) are well-known patterns that modern password cracking tools test automatically. They provide very little additional security over a simple word.

Storing passwords insecurely — in a text file, a spreadsheet, a notes app, or written on paper — is risky. Any of these storage methods can be compromised. A password manager is a far safer alternative.

How to Manage Strong Passwords

The practical challenge with strong passwords is that they are difficult to remember — especially when you have a unique one for each account. The solution is a password manager: an application that stores all your passwords in an encrypted vault, protected by a single strong master password that you do remember.

Password managers such as Bitwarden (free and open source), 1Password, and Dashlane generate strong random passwords and fill them in automatically. You only ever need to remember one password — your master password — and every other password can be as long and as random as the site allows.

To generate a strong password for use with a password manager, use the ToolBullet Password Generator. Set the length to at least 16 characters, include all character types, and copy the generated password directly into your password manager. You never need to see or type it again.

Two-Factor Authentication

Even the strongest password can be compromised through phishing — tricking you into entering your credentials on a fake site. Two-factor authentication (2FA) adds a second layer of protection by requiring a second piece of evidence alongside your password — typically a code from an authenticator app or a hardware security key.

Enable 2FA on every account that supports it, starting with your email account. Email is the recovery mechanism for nearly everything else — if an attacker gains access to your email, they can reset passwords across your other accounts. An email account with a strong password and 2FA is significantly harder to compromise than one with a password alone.