If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Strong passwords

A password is a form of authentication; a way of proving that yes, this is the user that owns this account.
Passwords protect access to just about every piece of digital information about us: bank accounts, private email, social networks, chat conversations, and much, much more.

Password attacks

Since so many user accounts are authenticated with a password, attackers are always looking for ways to uncover a user's password.
These are the most common ways:
  • Guessing
  • Brute-forcing, which is basically computer-assisted guessing at a much larger scale
  • Stuffing, where attackers find the credentials for one service and try them on another service
  • Malware, especially keyloggers
  • Phishing scams
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.

Picking a strong password

A strong password is:
  • Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? An attacker will change it the same way!
  • Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are 268 possible passwords that are 8 characters long and just made of lowercase letters, while there are 5212 possible passwords that are 12 characters long and made up of both uppercase and lowercase letters. That's 208,827,064,576 versus a whopping 390,877,006,486,250,200,000 possibilities. A little bit of complexity goes a long way.
  • Single-use, to avoid stuffing attacks. If an attacker manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like Iw2CR8a!!!pw. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶
Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like vivid-wrung-octopus-misapply.
Use a password manager. Perhaps you now have a few strong, memorable passwords in your head—but can you actually remember 40 of those? Password managers to the rescue! A password manager application can auto-generate strong passwords, keep track of all your passwords, and let you unlock access to your passwords with one very strong and memorable password.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put one of your actual passwords in those meters, but you can try out other password ideas and see how strong they are.

Entering a password

Even if you've come up with a super strong password, you still need to be careful when you're actually typing the password:
Only fill in passwords over a secured connection. It's easy for malicious onlookers to see passwords sent over a non-secured Internet connection (and non-secured is the default!).
When you're entering a password in the browser, look for the lock icon that indicates an HTTPS connection:
Screenshot of the Wikipedia login screen with filled out username and password fields. The URL has a lock to the left of it signifying an HTTPS connection, and an arrow points on that lock.
Watch out for shoulder surfers. If anyone is near you while you're typing your password, they might be trying to memorize what you're typing.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?