In 2023, the password '123456' was still the most commonly used password in data breaches worldwide. The second most common was '123456789'. Password weakness isn't a problem caused by a lack of security tools or information - those have existed for years. It's a human behavior problem driven by the genuine difficulty of creating and remembering dozens of strong, unique passwords for dozens of accounts.
The solution isn't willpower or better memory. It's understanding what actually makes a password strong, using tools to generate secure passwords automatically, and using a password manager so you only have to remember one master password. Once you set this up, having a unique strong password for every account you own is no harder than using the same weak password everywhere.
What 'Strong' Actually Means
Password strength is fundamentally about how long it would take an attacker to guess it. This depends on two things: the length of the password, and the size of the character set it's drawn from. A password made only from lowercase letters has 26 possible characters per position. Add uppercase letters and you have 52. Add digits and you have 62. Add common symbols and you have around 95.
The number of possible passwords grows exponentially with length. A 6-character password using lowercase letters has about 309 million possible combinations - a modern computer can try all of them in under a second. A 12-character password using the full character set of 95 printable characters has about 540 quintillion possible combinations - at a billion guesses per second, that would take over 17,000 years to exhaust.
The practical takeaway is that length matters more than complexity, though both contribute. A long password with a mix of character types is far stronger than a short password with many special characters. Most security experts now recommend passwords of at least 16 characters.
Why Dictionary Words Don't Work
Attackers don't always try every possible character combination starting from 'aaaaaaa'. They use dictionary attacks, which try common words, names, and phrases first. A dictionary attack might include millions of common words, names, song lyrics, sports team names, movie titles, and previously leaked passwords. It also includes common substitutions: replacing 'a' with '@', 'e' with '3', 'o' with '0'.
This means 'P@ssw0rd' is not a strong password despite containing uppercase, lowercase, a number, and a symbol. Attackers have been trying that specific pattern for decades. The word 'password' with character substitutions is one of the first things a dictionary attack tries. The complexity requirements that many sites enforce - uppercase, number, symbol - were designed to defeat simple brute force, but they don't help much against dictionary attacks and they've also made passwords harder to remember without making them meaningfully stronger.
The Passphrase Alternative
A passphrase is a password made from a sequence of random words rather than a random mix of characters. 'correct-horse-battery-staple' is the canonical example from a famous XKCD comic. Four random common words produce a password that's extremely long, resistant to dictionary attacks because of its random word combination, and significantly easier to remember than 'Kx9#mP2@vL'.
The randomness of word selection is critical here. 'ilovemydogspot' is not a strong passphrase because those words are related and predictable. 'purple-table-running-seven' is much stronger because the words are random and unrelated. Password managers can generate random passphrases as well as random character sequences, and the passphrase format is particularly useful for passwords you actually need to type, like your computer login or the master password for your password manager.
The Critical Importance of Unique Passwords
Using the same password across multiple accounts is one of the most dangerous password practices, and it's so common that there's a name for the attack that exploits it: credential stuffing. When a website gets breached and millions of username/password pairs are leaked, attackers immediately try those credentials on every other major website. Email, banking, social media, shopping accounts - they all get tried automatically.
If you've reused a password and one of the sites you used it on gets breached, every account using that password is compromised. This happens millions of times every month. The Have I Been Pwned service has indexed over 12 billion compromised accounts from thousands of breaches. The only effective defense is a unique password for every account, which is only practical with a password manager.
Password Managers: The Missing Piece
A password manager stores your passwords in an encrypted vault that you unlock with a single master password. It integrates with your browser to fill in login credentials automatically, which means using a 20-character random password is no harder than using the same four-character password everywhere. Most password managers also generate strong passwords for you when you create new accounts.
Free and open-source options like Bitwarden are genuinely excellent. Bitwarden is fully audited, has apps for every platform, includes browser extensions for auto-fill, and supports two-factor authentication for the vault itself. If you're not already using a password manager, setting one up and migrating your existing passwords is probably the single highest-impact security improvement you can make.
Using a Password Generator
A free online password generator creates cryptographically random passwords to your specifications. You can set the length, choose which character types to include, and generate multiple options at once. The generation happens in your browser, so the passwords are never transmitted over any network.
For most accounts, generate a password of 16 to 20 characters using uppercase, lowercase, numbers, and symbols. Copy it directly into your password manager's notes field or let the password manager store it automatically. Don't type it somewhere first - transcription errors in long random passwords are easy to make and hard to diagnose.
Online Quick Tools provides a free password generator with full control over length and character types, running entirely in your browser. Generating a strong, unique password for a new account takes about five seconds.
