calculator
What Makes a Strong Password?
The most effective passwords are long, unique, and difficult to predict. Current NIST best practices recommend a minimum of 15 characters when a password is the only authentication factor. Prioritize length and breached-password screening over mandatory combinations of uppercase letters, numbers, and symbols.
Make it long
Aim for at least 15 characters.
Every additional character increases the number of possible combinations an attacker must test.
Make it unique
Use a different password for every account. Reusing a password allows attackers to try credentials stolen from one service against many others.
Make it unpredictable
Avoid names, dates, company terms, keyboard patterns, and common phrases. Attackers test likely choices before attempting every possible combination.
Try a passphrase
Combine several unrelated words. A long, random passphrase can be easier to remember than a short string of symbols. Avoid quotations, song lyrics, or familiar expressions.
Use a password manager
Generate and store unique passwords securely. A password manager removes the need to memorize a different complex password for every account.
Add another layer
Turn on MFA or use a passkey whenever possible. A strong password alone cannot protect you if it is stolen through phishing or malware. Adding more layers is crucial.
Keep these password best practices in mind when creating yours.
Most Common Password Mistakes
Reusing one password
ne exposed password can place several accounts at risk.
Making predictable changes
Adding a year, exclamation point, or number to an old password does not necessarily make it difficult to guess.
Using personal information
Avoid birthdays, pet names, family names, favorite teams, addresses, and workplace information.
Choosing short passwords
A short password with several symbols may still be weaker than a long, random passphrase.
Using obvious substitutions
Attackers know that people replace letters with similar-looking characters, such as "a" with @ or "o" with 0.
Add another layer
Turn on MFA or use a passkey whenever possible. A strong password alone cannot protect you if it is stolen through phishing or malware. Adding more layers is crucial.
Change your password when it has been compromised, shared, reused, or exposed.
Why Password Security Matters
Password reuse turns one stolen credential into multiple opportunities for account takeover. Long, unique passwords reduce that risk, while MFA or passkeys provide protection when a password is exposed.