How to Create and Store Strong Passwords
Entropy, passphrases, password managers, and why reuse is the most expensive mistake — everything beyond the generic tips.
You probably have more than 50 online accounts. If you use the same password — or variations of the same base — across all of them, a single breach is enough for an attacker to access most of them within minutes. The process has a name: credential stuffing. It's automated, cheap, and happens constantly.
The problem isn't that people don't know weak passwords are bad. The problem is that the method commonly taught for creating "strong" passwords is mostly wrong — and the method for storing them is either nonexistent or dangerous.
What "password strength" actually means
Password strength is entropy. Entropy measures the number of combinations an attacker needs to try to crack your password by brute force. The higher the entropy, the longer the attack takes.
The formula is straightforward: entropy = log₂(N^L), where N is the alphabet size (how many possible characters) and L is the password length.
| Configuration | Search space | Entropy |
|---|---|---|
| 8 chars, lowercase only | 26⁸ ≈ 200 billion | ~37 bits |
| 8 chars, upper+number+symbol | 95⁸ ≈ 6.6 quadrillion | ~52 bits |
| 16 chars, lowercase only | 26¹⁶ ≈ 4.4 × 10²² | ~75 bits |
| 20 chars, alphanumeric | 62²⁰ ≈ 7 × 10³⁵ | ~119 bits |
Modern GPUs test hundreds of billions of hashes per second against leaked password lists. 52 bits of entropy is crackable in hours with accessible hardware. 75 bits would take centuries. 119 bits is infeasible under any realistic scenario.
The point most signup forms get wrong: requiring uppercase, number, and symbol increases N slightly but doesn't compensate for length. Going from 8 to 20 characters is exponentially more effective than adding every possible character type to an 8-character password.
Why P@ssw0rd!123 is not a strong password
Leet substitution — replacing a with @, e with 3, o with 0 — looks like it adds randomness. It doesn't. Cracking tools apply those transformations automatically against any dictionary.
rockyou.txt, the most commonly used leaked password file in dictionary attacks, has over 14 million entries. P@ssw0rd, Adm1n@2024, and similar variations are all there, or derivable with hashcat's default rules in under a second.
A password that follows a predictable human pattern — base word + substitutions + year + symbol at the end — is not random by definition. Attackers don't try fully random combinations first; they try what humans typically do.
Passphrase: high entropy without the pain
If you need a memorable password — for your password manager's master password, for instance — a passphrase is the right answer.
A passphrase is a sequence of random words, not a sentence that makes sense. The distinction matters.
horseballoonsunsetcargo→ 4 random words, ~52 bits of entropy with a 7,776-word list (Diceware)I finished my thesis last Tuesday→ looks long, but has predictable human semantic structure
The Diceware method uses a physical die (or cryptographic equivalent) to select words from a list of 7,776 options (6⁵). Each word adds ≈12.9 bits of entropy. Four words = ~52 bits. Six words = ~77 bits — more than any 8-character "complex" password.
# Diceware passphrase entropy (7,776-word list)
4 words: 4 × 12.9 = 51.7 bits
5 words: 5 × 12.9 = 64.6 bits
6 words: 6 × 12.9 = 77.5 bits ← recommended for master password
7 words: 7 × 12.9 = 90.5 bits
For your password manager's master password, use 6 random words you can link to an absurd mental image. Memorizes fast, has no obvious human pattern, and the entropy is genuinely high.
For everything else — don't memorize. Generate.
Password managers: the only solution that scales
Unique, long, random passwords for every service are impossible to memorize. That's not a lack of effort — it's a real human cognitive limit. The answer isn't to "try harder." It's to stop trying to memorize.
A password manager generates, stores, and autofills passwords. You memorize one strong master password (the passphrase from the section above). The manager handles everything else.
Well-regarded options:
- Bitwarden — open source, externally audited, free for personal use, cross-device sync. What I'd use starting today.
- 1Password — paid, polished interface, good for teams.
- KeePass / KeePassXC — local-only, no automatic sync, maximum control. Useful if you have restrictions on where data can live.
- Dashlane, Keeper — paid alternatives with enterprise features.
The criteria that matter: local encryption before sync (the provider can't access your passwords), published third-party audit, and a sustainable business model — free with opaque history raises questions.
What to never use for storing passwords:
- Unencrypted spreadsheet (local or cloud)
- Plain text file
- Phone notes app
- "My memory" — for more than 5 accounts, it doesn't work without creating predictable patterns
Why password reuse is the most expensive mistake
When a service leaks credentials — and services leak regularly, sometimes years after the breach — attackers automatically test those email/password combinations against other services. That's credential stuffing.
If you reuse the same password, or variations (mypassword, mypassword2, mypassword_gmail), a single breach on an irrelevant site can compromise your email account, which in turn gives access to password recovery for any other service.
The typical compromise chain:
- Site X leaks your password
base123 - Attacker tests
base123and variations against 200 popular sites - Gets into your email (where you used
base123!) - Resets passwords for bank, payment services, whatever they want
Each account with a unique password breaks that chain. A breach on site X has zero consequence for your other accounts when each one has unique 20-character random credentials.
For context on how these breaches happen and what to do when you find yourself in a leaked list, the post on information security fundamentals covers the full incident lifecycle — from attack vector to response.
How to migrate without losing your mind
If you're starting with a password manager now and have 80 accounts with bad passwords, don't try to migrate everything at once. A better approach:
Week 1 — install and set up
- Pick a manager, install the browser extension
- Create your master password with a 6-word passphrase
- Import existing passwords if the manager supports it, or let autofill capture them as you log in
As you log into each service
- Let the manager generate a new 20+ character random password
- Update on the service, save in the manager
- In 3 months, most important accounts have good passwords
Immediate priority (update these first)
- Primary email (gives access to recovery for everything else)
- Bank and financial services
- Any account with a saved credit card
It doesn't need to be perfect immediately. A partially filled manager is vastly better than "the same password everywhere."
Frequently asked questions
What's the minimum length for a strong password in 2026?
For manager-generated (random) passwords, 16 characters is the reasonable minimum with entropy above 75 bits using the full character set. Prefer 20 characters — it costs the manager nothing to generate and the security difference is significant. For a memorable master password, use a 6-word Diceware passphrase.
Is a cloud password manager safe? What if the service gets breached?
Serious managers (Bitwarden, 1Password) use zero-knowledge encryption: your master password never leaves your device, and synced data reaches the server already encrypted. If the server leaks, the attacker gets unreadable ciphertext without your master password. The real risk is forgetting your master password or losing device access without a recovery code backup — not server compromise.
Do I need to change passwords periodically?
NIST (SP 800-63-4, 2024) does not recommend mandatory periodic rotation. Change when there's evidence of compromise: the service announced a breach, your manager or HaveIBeenPwned flagged it, or you noticed suspicious access. Calendar-based rotation without cause just produces predictable patterns like Password@Jun2026.
Can I use my browser's built-in password manager (Chrome, Safari)?
It's better than nothing. The limitations: locked into the browser/OS ecosystem, rarely have published independent security audits, and cross-device sharing across different OSes can be awkward. For simple personal use they may be sufficient; for corporate use or if you work across multiple browsers and systems, a dedicated manager makes more sense.
A strong password you don't control is still weak
The best password in the world doesn't help if you have no fallback access to your manager, don't use MFA on critical accounts, and never check whether your data has appeared in a breach.
Minimum setup after adopting a manager: enable MFA on the manager itself (with an authenticator app, not SMS), save recovery codes offline, and set up a HaveIBeenPwned alert to be notified when your email appears in a new breach.
To generate a master password or see what a genuinely random password looks like, the Password Generator uses crypto.getRandomValues and sends nothing to a server — useful for having a concrete reference of what "20 random characters" actually means.
The total investment to implement all of this is an afternoon. The cost of not doing it — a compromised account at the worst possible moment — tends to be considerably higher.
- 01 How to Organize Your Programming Studies Without Getting Lost Escape tutorial hell, build consistency, and actually finish projects — a practical system for learning programming that holds up over time.
- 02 VPS, VPC, and Dedicated Server: What's the Difference and When to Use Each VPS, VPC, and dedicated server appear side by side on every hosting comparison page — but they mean different things. Here's where the money goes and how to decide.