Most people's passwords are terrible. Not because they're lazy — because they were taught the wrong things. For years, security guidelines demanded passwords like P@ssw0rd1! (complex but easy to crack), while discouraging long, memorable passphrases (simple to create, far harder to break). This guide corrects the record on what actually makes passwords secure.
How Passwords Get Compromised
Understanding the attack matters before picking a defense.
Credential stuffing is the most common attack today. When a site gets breached (and thousands do every year), leaked username/password pairs get tested against every other site automatically. If you reuse the same password on multiple services, one breach exposes all of them.
Dictionary attacks try known words, common passwords, and their obvious variations. password, password1, Password1!, p@ssw0rd — all in the dictionary. These attacks run billions of guesses per second on modern hardware.
Brute force tries every possible combination up to a certain length. An 8-character password using uppercase, lowercase, and numbers has about 218 trillion combinations — which sounds large until you realize modern GPU clusters can exhaust that space in hours.
Phishing bypasses all of this. No matter how strong your password is, if you type it into a fake login page, it's compromised instantly.
What Actually Makes a Password Strong
Length is the single most important factor. Every additional character multiplies the search space exponentially. A 16-character password made of random lowercase letters is stronger than a 10-character password using every character type.
Here's the math:
| Password | Characters | Possible combinations | Brute-force time (1 trillion/sec) |
|---|---|---|---|
monkey |
6 chars | 309 million | Instant |
Monk3y! |
7 chars | 1 trillion | ~1 second |
correcthorsebatterystaple |
25 chars (all lowercase) | 10^35 | Centuries |
| Random 16-char (all lowercase) | 16 chars | 4.4 × 10^22 | 1.4 million years |
Unpredictability matters more than complexity. Il0v3Coff3e! feels complex but follows a predictable pattern — every 'e' swapped for '3', every 'o' for '0'. Attackers specifically target these transformations.
Uniqueness across sites is non-negotiable. One reused password, one breach, everything compromised.
Passphrases: The Best of Both Worlds
A passphrase strings together random words: correct horse battery staple. It sounds like English, which makes it memorable. But the randomness of word selection makes it cryptographically strong.
Four random common words produce about 2^44 possible combinations (assuming a 2,000-word dictionary) — more than a typical complex 8-character password, and far easier to remember.
How to create a good passphrase:
- Use genuinely random words — don't construct a sentence that makes semantic sense.
purple velocity monday spideris better thanthe cat sat on mat. - Use at least 4 words, ideally 5 or 6 for important accounts.
- You can add a number or symbol if required, but it adds less security than an extra word.
What Not to Use
- Personal information: Birthdays, names, anniversaries, pet names. All guessable from social media.
- Keyboard patterns:
qwerty,123456,zxcvbn. These are literally in every dictionary attack. - Common words with predictable substitutions:
p@ssword,s3cur1ty,adm1n. - Short passwords with any content: Under 12 characters is increasingly risky as compute power grows.
- The same password on multiple sites. Full stop.
Using a Password Manager
The only way to have unique, strong passwords for every account without memorizing hundreds of them is a password manager. Recommendations:
- Bitwarden — open source, audited, free tier is genuinely useful, self-hostable.
- 1Password — polished UX, excellent browser integration, strong family/team features.
- KeePassXC — fully offline, no cloud sync, the choice if you trust no external service.
A password manager stores all your passwords encrypted under one strong master password. You only have to remember one — make it a long passphrase.
How to Generate a Secure Password
DevZone's Password Generator creates cryptographically random passwords in your browser:
- Set the length — 16+ characters for normal accounts, 24+ for financial accounts.
- Choose character types — uppercase, lowercase, numbers, symbols. Use all four for maximum entropy.
- Exclude ambiguous characters (
0,O,l,1) if you'll ever need to type the password manually. - Copy the result and paste it directly into your password manager.
The generator uses window.crypto.getRandomValues() — the same CSPRNG (Cryptographically Secure Pseudorandom Number Generator) used by SSL/TLS. The password is never transmitted or stored.
Two-Factor Authentication Changes Everything
Even a perfect password can be phished. Two-factor authentication (2FA) adds a second proof of identity that phishing can't easily capture:
- TOTP apps (Google Authenticator, Authy, 1Password) generate 6-digit codes that change every 30 seconds. Even if an attacker has your password, they can't log in without the current code.
- Hardware keys (YubiKey, Google Titan) are phish-proof — they verify the domain cryptographically.
- SMS codes are better than nothing but vulnerable to SIM-swapping attacks.
For any account that matters — email, banking, work systems — enable 2FA. Email in particular is critical: whoever controls your email can reset every other account.
FAQ
How often should I change my password?
Only when there's a reason to: suspected compromise, a site you use reports a breach, or you've shared a password with someone who no longer needs access. Forced periodic rotation (every 90 days) is now considered counterproductive — it leads to weaker, patterned passwords like Summer2026!.
How long should a password be?
At minimum, 12 characters for low-stakes accounts. 16+ for anything important. 24+ for financial accounts and your password manager master password. Longer is always better.
Is it safe to store passwords in a browser?
Browser-built-in password managers (Chrome, Safari, Firefox) are significantly better than reusing passwords or keeping a text file. They're not as capable as dedicated managers — weaker audit trails, limited cross-device sync options, no breach monitoring — but they're a major improvement over no manager at all.
What if I forget my master password?
This is the core tradeoff of password managers. If you forget the master password and have no recovery method, you lose access to everything stored. Use a long, memorable passphrase for your master password. Write it on paper and store it somewhere physically secure (a safe, not a sticky note on your monitor).