arrow_backAll articles
Passwords

How to create a strong password and manage it safely

schedule7 min read

You create a strong password by making it long (12–16+ characters), unique to each account and free of guessable information — a passphrase of several random words works well. So you do not have to remember and reuse them, use a password manager and enable 2FA on important accounts.

A password is still the first lock on the door to almost every account. Unfortunately, weak, guessable and reused passwords are one of the most common ways attackers get into company systems. The good news is that a few simple rules and the right tool reduce this risk dramatically.

What makes a password strong

  • checkLength beats character complexity: a 12–16 character password is far stronger than a short one with special symbols.
  • checkUniqueness: a separate password for each account, so one leak does not affect them all.
  • checkUnguessable: no names, birthdays, company name or "Password123".
  • checkA passphrase: a combination of a few random words is easy to remember and hard to crack.

The most common mistakes

  • checkThe same password for work, email and social media.
  • checkStoring passwords on sticky notes, in an Excel file or unprotected browser notes.
  • checkSmall variations (Password1, Password2) — easy to guess.
  • checkSharing a password with colleagues via messages or email.

Why reuse is so dangerous

When some website suffers a data breach, its passwords end up in scammers’ databases. Attackers then automatically try the same logins elsewhere — a bank, a work email, systems. This attack is called "credential stuffing" and it works precisely because people reuse the same password. One unique password per account breaks this chain.

A password manager: the simple solution

It is unrealistic to remember dozens of unique, long passwords — which is why people reuse them. A password manager solves this: it generates and stores strong, unique passwords, and you only need to remember one master password. It also helps you spot phishing, because it will not fill a password on a fake domain that does not match the saved one.

  • checkGenerates long, random passwords for every account.
  • checkAutofills only on correct domains — protection against fake pages.
  • checkLets you share access safely within the team, with no passwords in messages.
  • checkWarns about reused passwords or ones found in breaches.

What the business should do

Agree on a clear password policy: a manager for the whole team, unique passwords, mandatory 2FA on important systems and no shared passwords via messages. Rules only work when employees understand why they matter — so password hygiene should be part of regular security training, not a one-off document.

Frequently asked questions

What counts as a strong password?add

At least 12–16 characters, unique to each account and free of guessable information. A passphrase of several random words that is easy to remember works well.

Is it safe to use a password manager?add

Yes. A reputable password manager is far safer than reusing passwords or keeping them in a file — it encrypts your data and prevents many mistakes.

Do I need to change passwords periodically?add

Forced frequent changes often lead to weaker, predictable variants. It is more important to have unique, strong passwords with 2FA, and to change them when you suspect a leak.

Which is stronger: "Xy7$q!" or four random words?add

A four-random-word passphrase is usually stronger and far easier to remember than a short set of symbols, because strength comes from length, not complexity.

Where should I store passwords if not in my head?add

In a reputable password manager. It encrypts your data, and you only need to remember one master password. Do not keep them on sticky notes or in an unprotected file.

Read next