Blog › Security & Digital Safety
Your Password Is Probably Terrible.
Here's Why - and a Better Way.
Most people's passwords follow the same predictable patterns. Attackers know those patterns too. Here's what actually makes a password secure, why complexity requirements often backfire, and what to do instead.
The password you think is clever isn't
There's a version of this conversation that's happened in every workplace, every family, and every IT helpdesk queue. Someone gets locked out. The investigation reveals the password was the name of a pet, a child, a favourite sports team - followed by a number and an exclamation mark.
"Fluffy1!" is not a secure password. Neither is "Summer2024!" or "P@ssw0rd" or any variation that starts with a dictionary word and ends with a character substitution. Attackers have dictionaries of these patterns. They try them first.
The problem isn't that people are careless. It's that the way most people think about password security doesn't match how password attacks actually work.
How passwords actually get cracked
It's not a hacker manually guessing. It's software running through millions of options per second.
Modern password cracking isn't a person sitting at a keyboard trying names. It's software that can test billions of combinations per second against a stolen password database. When a service gets breached and password hashes are leaked, attackers run automated tools against those hashes until they find matches.
Those tools aren't just trying random combinations. They work through known patterns first - common words, common substitutions (@ for a, 0 for o, 3 for e), common suffixes (years, ! at the end), and leaked passwords from previous breaches. "Correct Horse Battery Staple" is more secure than "P@ssw0rd!" even though it looks simpler, because length and randomness matter more than character substitution tricks.
Dictionary attacks
Software runs through lists of common words, names, and known passwords. If your password is a real word in any language, it'll be tried early.
Credential stuffing
If you've reused a password across sites and one site gets breached, attackers try that username and password combination on every other major service automatically.
Brute force
Trying every possible combination. Impractical for long passwords - a 16-character random string would take centuries. Very practical for 6-8 character passwords.
What actually makes a password secure
Two things. Length and randomness. In that order.
The security guidance that tells you to include uppercase, lowercase, numbers, and symbols isn't wrong - but it's less important than length. A 20-character lowercase random string is harder to crack than an 8-character string with every character type represented.
Randomness matters because humans are predictable. Any pattern a human finds memorable - a name, a date, a word with substitutions - is a pattern an attacker has already accounted for. True randomness, generated by a computer rather than chosen by a person, is significantly more secure than anything you'd come up with yourself.
Length over complexity
Aim for 16 characters minimum for important accounts. 20+ for anything high-value. Every additional character multiplies the combinations an attacker needs to try.
Unique per site
One breach shouldn't compromise every account you own. If you're reusing passwords, you're one leaked database away from losing access to everything at once.
Computer-generated
A generator produces genuinely random strings that don't follow human patterns. No word, no name, no date - just entropy.
Paired with MFA
Multi-factor authentication means a stolen password alone isn't enough. Enable it on every account that offers it, especially email, banking, and work systems.
The honest fix: use a password manager. Generate a unique random password for every site, store it in the manager, and only remember one strong master password. 1Password, Bitwarden, and Dashlane are the main options. Bitwarden has a solid free tier.
For when you need one right now
No password manager yet? Start here.
If you need a secure password immediately and haven't set up a password manager yet, a browser-based generator gives you a cryptographically random string without sending anything to a server. Generate it, copy it, use it. Nothing is stored.
It's not a long-term solution - a password manager is. But it's significantly better than another variation on your pet's name.
Generate a secure password now
Cryptographically random. Nothing stored. Nothing sent anywhere. Free.
Open the Password Generator →