How to Create a Strong Password (the Modern Way)

· password-manager

The single most important rule for a strong password is length — a long passphrase beats a short, complicated one. Modern security guidance has flipped the old advice: instead of “P@ssw0rd!” with forced symbols you can’t remember, aim for a long, unique, unpredictable phrase. Better still, let a password manager generate and remember it for you. Here’s the modern, evidence-based way to do passwords right.

Reviewed and kept current by the Coppers.io editorial team — see how we research .

The rules have changed

For years we were told to use short passwords stuffed with uppercase, numbers, and symbols, and to change them every 90 days. Research showed this backfired — people made predictable substitutions (“o” → “0”), reused patterns, and wrote them down. The current US NIST 800-63B guidance and the UK’s NCSC now emphasise length, uniqueness, and not forcing arbitrary complexity or routine resets.

What actually makes a password strong:

  1. Length — the most important factor by far. Each extra character multiplies the effort to crack it. Aim for at least 12–16 characters, more for important accounts.
  2. Uniqueness — a different password for every account, so one breach can’t unlock the rest.
  3. Unpredictability — not based on personal info, common words, or keyboard patterns.

The passphrase method (for ones you must remember)

For the few passwords you type by hand — your device login and your password manager’s master password — use a passphrase: several random, unrelated words strung together.

  • Pick four or more random words that don’t form a normal sentence: copper-lantern-violet-engine.
  • It’s long (easy for you, hard for computers), and far stronger than Tr0ub4dor&3.
  • Add a number or symbol if a site demands it, but length is doing the real work.

The trick is randomness — correct horse battery staple is the famous example, but don’t use a phrase you’ve seen published. Make your own.

What to avoid

  • Personal information — names, birthdays, pets, addresses (all easily found).
  • Common words and predictable substitutionspassword, qwerty, letmein, P@ssw0rd.
  • Reusing passwords across sites — the single biggest real-world risk.
  • Sequential or keyboard patterns123456, abcdef, qwerty.
  • Short passwords, no matter how “complex” they look.

The honest truth: don’t memorise most of them

Here’s what security professionals actually do: they don’t create or remember most of their passwords at all. A password manager generates a long, random, unique password for every account and fills it in automatically. You only need to remember one strong master passphrase; the manager handles the rest.

This solves the core tension — strong passwords are hard to remember, and memorable ones are weak. Let software win on both. See how password managers work if you’re new to them.

Layer on 2FA and passkeys

Even a perfect password can be phished or caught in a breach, so don’t stop at the password:

  • Turn on two-factor authentication for every account that supports it — a stolen password then isn’t enough.
  • Adopt passkeys where offered — they replace the password with a phishing-resistant cryptographic login, the strongest option of all.

Think of it as defence in depth: a strong unique password, plus 2FA, plus passkeys as they roll out.

Quick checklist

  • ✅ At least 12–16 characters (longer for important accounts)
  • ✅ Unique to each account
  • ✅ A random passphrase for the few you type by hand
  • ✅ Generated and stored in a password manager for the rest
  • ✅ 2FA enabled, passkeys adopted where available
  • ❌ No personal info, common words, or reuse

The bottom line

Creating a strong password in 2026 is simpler than the old rules made it: go long, keep every one unique, and avoid anything predictable. Use a random passphrase for the handful you must remember, and let a password manager generate and store the rest. Add 2FA and passkeys, and you’ve covered the realistic ways accounts get broken into.

FAQs

  • Length, uniqueness, and unpredictability. A long passphrase of several random words is stronger than a short password full of symbols. Each password should be unique to its account and avoid personal information, common words, and predictable patterns.
  • Aim for at least 12 to 16 characters, and longer for important accounts like email and banking. Length is the most important factor because each extra character dramatically increases the time needed to crack it.
  • Usually, yes. A passphrase of four or more random, unrelated words is long, hard for computers to crack, and easy for you to remember — unlike a short password stuffed with symbols that people tend to make predictable. Length beats forced complexity.
  • Modern guidance says no to routine scheduled changes, which led people to weak, predictable variations. Instead, use strong unique passwords and only change one if it's been exposed in a breach or you suspect compromise. Add 2FA for extra protection.
  • No — and you shouldn't try. Use a password manager to generate and store a long, unique password for every account, and remember just one strong master passphrase. This gives you strong, unique passwords everywhere without the memory burden.