How to create a strong password (without forgetting it next week)
Strength is mostly about length and uniqueness. A password that is unique to one site and long enough resists guessing and limits damage from breaches.
What “strong” means technically
Entropy—unpredictability—comes from length and character variety. “correct horse battery staple” style phrases beat short complex gibberish you write on a sticky note.
Why uniqueness beats complexity alone
A complex password reused on ten sites fails when one site leaks. Attackers do not guess manually—they automate lists.
Passphrase method
Pick four+ random common words, optionally add separators and a site-specific token you can derive mentally (careful not to make trivial patterns attackers can predict).
Manager-generated passwords
Let software create 20+ character random strings for everything except maybe your manager’s master password (memorised passphrase).
Multi-factor is still required
Even great passwords can be phished. Add 2FA—SMS is the most practical starting point for many users.
Want a clean password reset plan?
RelyShield helps rotate credentials safely across email, social, and finance.
Frequently asked questions
- How long is enough?
- Aim for 14+ characters for memorised passphrases; longer random strings from managers are better.
- Should I change passwords monthly?
- Only if breached or suspected compromise; rotating strong unique passwords on a calendar alone is less helpful than uniqueness + 2FA.
- Are password strength meters reliable?
- Rough guides only—some reward predictable patterns.
- Writing passwords on paper?
- Better than reuse for low-tech users—store paper physically secure; prefer managers when possible.