Your passwords are the first line of defense between your digital life and the people who want to exploit it. Despite years of warnings, millions of people continue to use passwords that can be cracked in seconds. The good news is that creating secure passwords is not difficult once you understand a few core principles. This guide covers what actually makes a password secure, which advice from the past is now outdated, and the practical utilities you can use to protect every account you own.

What Actually Makes a Password Secure?

Password security is fundamentally about unpredictability and length. An attacker who wants to guess your password has two main strategies: dictionary attacks and brute-force attacks. A dictionary attack tries common words, names, and patterns from a precompiled list. A brute-force attack tries every possible combination of characters until it finds the right one. A secure password defeats both strategies.

Against dictionary attacks, the solution is to avoid common words and predictable patterns. Against brute-force attacks, the solution is length. Every additional character in your password exponentially increases the number of possible combinations an attacker must try. A 12-character password with mixed case, digits, and symbols has roughly 3.7 times 10 to the 23rd possible combinations. Adding just four more characters to make it 16 characters pushes that number to roughly 3.4 times 10 to the 31st. The difference is staggering.

Modern guidance from security researchers and institutions like NIST is clear: length matters far more than complexity. A 20-character passphrase made of random words is stronger than an 8-character string of mixed symbols that you can barely remember. The math unambiguously supports this conclusion.

The NIST Password Guidelines

The National Institute of Standards and Technology (NIST) publishes Special Publication 800-63B, which is the authoritative reference for password policy in the United States. Their guidelines have evolved significantly over the years, and the current recommendations reflect the latest research.

NIST now recommends a minimum password length of 8 characters, with 15 or more characters being preferred. They recommend allowing all printable characters, including spaces. They advise against requiring specific character types like uppercase, lowercase, digits, and symbols. They also advise against forcing periodic password changes, unless there is evidence of a breach. Forced changes lead people to make minimal modifications like appending a number, which weakens security rather than strengthening it.

NIST also recommends screening new passwords against a list of commonly used and compromised passwords. If a password has appeared in a known data breach, it should be rejected regardless of its length or complexity. Services like Have I Been Pwned maintain databases of billions of compromised passwords for this purpose.

Common Password Mistakes to Avoid

Understanding what makes a password weak is just as important as knowing what makes it strong. Here are the mistakes that compromise more accounts than anything else.

Reusing passwords across accounts: This is the single most damaging mistake you can make. When a service suffers a data breach, the stolen credentials are quickly tested against other popular services in automated attacks called credential stuffing. If you use the same password for your email, your bank, and a gaming forum, a breach at the forum gives attackers the keys to everything.

Using personal information:Your birthday, your pet's name, your hometown, your favorite sports team, and your children's names are all easily discoverable through social media. An attacker who targets you specifically will try these first. Personal information dramatically narrows the search space.

Relying on simple substitutions:Replacing "a" with "@", "e" with "3", and "o" with "0" was clever in 2005. Modern cracking utilities have rulesets that try every common substitution automatically. "P@ssw0rd" is not significantly harder to crack than "Password."

Using short passwords: Anything under 12 characters is within reach of modern hardware. Consumer graphics cards can attempt billions of password hashes per second. At those speeds, an 8-character password falls in hours, not years.

Storing passwords in plain text: Writing passwords on sticky notes, saving them in unencrypted text files, or storing them in your browser without a master password leaves them exposed to anyone who gains physical or remote access to your devices.

Password Managers: The Essential Utility

If you follow the advice to use a unique, long, random password for every account, you will quickly face a practical problem: you cannot remember them all. This is exactly what password managers solve. A password manager stores all your credentials in an encrypted vault protected by a single master password. You only need to remember one strong password. The manager handles the rest.

Password managers offer several critical features. They generate truly random passwords using cryptographically secure algorithms, eliminating the human biases that make hand-crafted passwords predictable. They autofill login forms, which means you can use 30-character random passwords without ever having to type them. They sync across your devices, so a password created on your phone is available on your laptop. And they include security audits that flag weak, reused, or compromised passwords.

For generating new passwords, you can use the password generator on KnowKit, which runs entirely in your browser and never transmits your passwords over the network. It lets you control the length, character types, and number of passwords to generate.

Password Generators vs. Passphrases

There are two approaches to creating strong passwords: random character strings and random word passphrases. A random character string like "xK9#mP2$vL7@nQ4" is extremely strong because every character is independently chosen from a large pool. A passphrase like "correct-horse-battery-staple" uses fewer possible characters per position but compensates with length and memorability.

Both approaches are secure when done correctly. The random character string is slightly stronger per character of length because the character pool is larger (about 95 printable ASCII characters versus roughly 7,000 common English words). However, a 5-word passphrase using a 7,000-word dictionary has about 1.7 times 10 to the 19th possible combinations, which is plenty strong. The passphrase is also much easier to type on a keyboard you are unfamiliar with, such as a phone or a public computer.

For your master password and any password you need to type regularly, a passphrase is the better choice. For everything else that your password manager handles, use randomly generated character strings for maximum entropy.

Two-Factor Authentication: Your Second Layer of Defense

Even a perfect password can be compromised through phishing, keyloggers, or database breaches. Two-factor authentication (2FA) adds a second verification step that requires something you have in addition to something you know. If an attacker steals your password, they still cannot access your account without the second factor.

The most common 2FA methods include SMS codes, authenticator apps, and hardware security keys. SMS is the weakest option because it is vulnerable to SIM-swapping attacks. Authenticator apps like Authy or Google Authenticator generate time-based codes on your device and are significantly more secure. Hardware keys like YubiKey use public-key cryptography and are the gold standard, offering complete protection against phishing attacks.

Enable 2FA on every account that supports it, starting with your email provider and your password manager. Your email is the most critical account because it controls password resets for everything else. If someone gains access to your email, they can reset the password for any other service you use.

What to Do If a Password Is Compromised

Data breaches are a matter of when, not if. Even if you follow every best practice, a service you use may have its database stolen. The key is responding quickly and methodically. First, change the password for the compromised account immediately. Then change the password for any other account where you used the same credentials. Enable 2FA if it was not already active. Monitor the account for suspicious activity over the following weeks.

Many password managers now include breach monitoring that automatically checks your credentials against known breach databases and alerts you when a match is found. This is invaluable because it catches problems you would otherwise miss. Our in-depth password security guide covers breach response in greater detail.

Building Better Password Habits

Creating secure passwords is a habit, not a one-time action. Start by setting up a password manager and importing your existing credentials. Run the security audit to identify weak and reused passwords. Update the most critical accounts first: email, banking, social media, and cloud storage. Work through the rest over the following weeks. Enable 2FA on every account that supports it. Use a password generator for every new account. Within a month, you will have dramatically improved your security posture with relatively little effort.

How to Create Secure Passwords: A Practical Guide