How to Create a Strong Password
Most people use passwords that are easy to remember — which also makes them easy for criminals to crack. A strong password is long, unpredictable, and used only on one account. Here is how to create one, and how to manage them without going mad.
What Makes a Password Strong?
A password's strength comes from two things: length and unpredictability.
Length matters most. A 16-character password is exponentially harder to crack than an 8-character one, even if the shorter one uses symbols and numbers.
Unpredictability is second. Password123! technically contains uppercase letters, numbers, and a symbol. But criminal cracking software knows these patterns and tests them first. cloud-river-jacket-42 contains no symbols, but it is far stronger because it is long and completely random.
The Three-Word Method (NCSC Recommended)
The National Cyber Security Centre recommends combining three random words:
cloud-river-jacket
Tuesday-mango-library
purple-anchor-swimming
Add a number and symbol to make it stronger: cloud-river-jacket!42
The key word is random— avoid words connected to you. Your pet's name, your street, your birthday, your football team — criminals check these first.
What to Avoid
- ⚠️Your name, date of birth, or address
- ⚠️"password", "123456", "qwerty" — among the most common passwords in the UK every year
- ⚠️The same password on more than one account — if one site is breached, every account with that password is at risk
- ⚠️Variations of an old password ("Password1" → "Password2")
- ⚠️Keyboard patterns like "qwerty" or "asdfgh"
How to Manage Multiple Strong Passwords
If every account needs a unique, strong password, you cannot possibly remember them all — and you should not try. This is exactly what password managers are for.
A password manager stores all your passwords in an encrypted vault, protected by one master password. You remember one; it remembers the rest.
Free options
Paid options (£1–4/month)
Your master password should be a long passphrase you have memorised and have never used anywhere else.
Get your free personalised cybersecurity plan
Answer a few quick questions and we'll build a step-by-step plan tailored to your situation — no jargon, no credit card required.
Start for free →How Often Should You Change Your Passwords?
The old advice was to change every 90 days. The NCSC has updated this guidance: frequent mandatory changes lead to weaker passwords (people simply increment: “Password1” → “Password2”).
Change a password when:
- There is a sign it may have been compromised
- A service you use reports a data breach
- You realise a password is weak or shared with another account
Do not change strong, unique passwords on a fixed schedule just because time has passed.
Passwords Are Not Enough on Their Own
Even the strongest password can be stolen in a phishing attack or data breach. Enable two-factor authentication (2FA) on every important account — especially your email, banking, and social media. A stolen password alone is then worthless.
Related guides
Frequently asked questions
What is the strongest type of password?
A long, random passphrase (three or more unconnected random words) or a randomly generated string from a password manager. Aim for at least 14 characters. Length matters more than complexity.
Is a password manager safe to use?
Yes. Reputable managers like Bitwarden and 1Password use strong encryption. Your passwords are far safer in a password manager than written down, stored in a browser, or — worst of all — reused across multiple sites.
How often should I change my passwords?
Change them when there is a specific reason — a breach, a sign of compromise, or when you realise a password is weak or reused. The NCSC no longer recommends changing strong passwords on a fixed schedule.