
Take any password you think is strong and make it stronger.
Seriously. There’s a good chance that what you think is strong isn’t, or it won’t be in the near future.
Unfortunately, many people do the exact opposite, opting for some of the worst passwords you can think of. Don’t do that.
Become a Patron of Ask Leo! and go ad-free!

Make passwords stronger
- Regular reports of the most popular passwords remain very disheartening.
- Length trumps everything.
- Long passwords don’t have to be hard.
- Password managers make long, strong passwords easy to deal with.
- Take the time to replace your weak passwords.
And the most popular password is…
According to NordPass’s Top 200 Most Common Passwords, the top five include:
- 123456
- 123456789
- 12345678
- password
- qwerty123
The rest of the list is more diverse but just as obvious, including passwords like “iloveyou”, “qwerty”, “charlie”, “donald”, and many more horrific choices.
Not only are they simple, easy to guess, and clearly on the list of the very first passwords hackers try, but they also suffer from the greatest sin of all, in my opinion.
They’re short.
Length matters most
When it comes to passwords, length trumps everything. For example, let’s take that #1 offender above.
123456
A six-character password. Ugh. But adding a simple pattern to turn it into a 20-character password makes it a pretty reasonable choice.
****** 123456 ******
All I did was add six asterisks before and after, separated by a space on each side. And yes, as simple as that pattern appears to be, it’s a strong password. Much stronger than 123456 and just as easy to remember. (Caveat: it’s a weaker password because I just published it here as an example. Don’t use this exact password; use it as an example of a simple technique to lengthen otherwise poor passwords.)
Today, your goal should be 12 characters at a bare minimum, but preferably something like 16 or more. Using a password manager makes it trivial to use lengthy passwords. Personally, I’ve standardized on 20 character passwords.
Again, length trumps everything.
Long doesn’t have to mean hard
I’ll admit that throwing asterisks before and after a password doesn’t feel secure, even though it is. It just doesn’t feel like we did enough work.
But to build on perhaps the most quoted XKCD comic of all time — Correct Horse Battery Staple1 — combining unrelated words can be both strong and memorable.
I recently set up an account for a friend and did exactly that. When it came time to generate a password, I looked around my desk, picked three random items I saw, combined them with a fourth item this friend and I had in common, and — poof — a password that was long, strong, and easy to remember.
Here’s a different example using that technique.
SpeakerCoffeeMixerFacebook
That’s a 26-character password. If you need special characters, add spaces, or an exclamation point in what, for you, might be a “standard” location, like at the end or after the first word.
Password managers make it even easier
As easy as that password is to create, and as memorable as it may be, if you have a lot of different passwords (and who doesn’t), it can be difficult to keep ’em all straight. Enter the password manager, which remembers them for you. That way, you only have to remember one password of the long and memorable variety, and the password manager does the rest.
Because I use a password manager (1Password), I don’t bother combining words for most of my passwords. I go all-in and let the secure password generator do the trick. For example, most of my passwords look like this:
xMpba3HxDFvKk73mrAfA
That’s 20 characters of completely random alpha-numeric data. If I need a special character, I’ll throw one in somewhere, making it a 21-character password.
I can’t tell you any of my passwords except the one to my password vault.
Do this
I talk about passwords and password strength a lot because, like it or not, passwords will continue to be an important part of your online and account security for some time. Passkeys will eventually replace them, but that’s going to take a long time. Even when you use two-factor authentication — as you should, if it’s offered — you’re still relying on the strength of your password as your first line of defense.
Review your passwords and replace short ones with something longer and more secure. At least 12, but preferably more like 16 characters or longer.
And if you’re using anything on this list, don’t delay a moment longer. Go change that password now.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Which I did not have to look up — it’s that memorable.