Introduction
Passwords are the first line of defense for every account and system. Despite decades of password advice, most people still use weak passwords that can be cracked in seconds.
This guide covers password security best practices for 2025. How to create strong passwords, avoid common mistakes, and protect your accounts from compromise.
How It Works
Password strength is about entropy - how many possible combinations an attacker has to try. More entropy = harder to crack.
The math:
- 8-character password with lowercase only: 26^8 = 208 billion combinations (cracked in seconds)
- 8-character with mixed case + numbers + symbols: 95^8 = 6.6 quadrillion combinations (hours to days)
- 16-character with lowercase only: 26^16 = 43 quindecillion combinations (centuries)
Each additional character matters exponentially:
- 8 chars: 95^8 = 6.6 quadrillion
- 9 chars: 95^9 = 630 quadrillion (95x harder)
- 10 chars: 95^10 = 59 quintillion (95x harder again)
Modern GPUs can try billions of passwords per second. A weak 8-character password gets cracked in hours. A strong 16-character password takes millions of years.
Why length beats complexity:
P@ssw0rd!(10 chars, complex) = 95^10 combinationscorrecthorsebatterystaple(25 chars, simple) = 26^25 combinations
The 25-character password is vastly stronger despite being “simpler.” Length is the multiplier.
Defense in depth:
Password security works in layers. No single defense stops every attack, but combining these strategies blocks most threats:
- Long passwords (16+ characters) make cracking impractical
- Unique passwords isolate breaches to single sites
- Password managers handle the complexity for you
- 2FA blocks attackers even if they steal your password
For a deep dive into how attackers compromise accounts and which defenses stop which attacks, see our Account Attack Vectors and Defense Layers guide.
Best Practices
1. Use a Password Manager
Why: You need 50-100+ unique passwords. Human memory can’t handle that. Password managers generate, store, and auto-fill strong passwords.
Available options (all solid choices):
- Bitwarden - Open source, free tier, self-hostable
- 1Password - User-friendly, family plans, travel mode
- Dashlane - VPN included, dark web monitoring
- KeePassXC - Fully offline, open source, no cloud
- LastPass - Free tier, established platform
- Proton Pass - Privacy-focused, from Proton Mail team
- Apple Keychain - Built into macOS/iOS, seamless integration
- Google Password Manager - Built into Chrome/Android, zero setup
Choose based on your needs: cross-platform support, self-hosting, privacy focus, or convenience. Any password manager is better than reusing passwords.
Setup checklist:
- Enable master password (20+ characters)
- Enable 2FA on the password manager itself
- Set up emergency access for trusted contacts
- Use auto-generated passwords (16-32 characters)
2. Generate Unique Passwords with Proper Length
Why: Length increases crack time exponentially. Uniqueness prevents credential stuffing attacks. You need both for real security.
The math:
- Adding one character: 60-100x harder to crack
- Adding special symbols: Only 2-4x harder
- Reusing passwords: Turns one breach into unlimited breaches
Length requirements:
- Personal accounts: 12+ characters minimum
- Work accounts: 16+ characters
- Admin/root accounts: 20+ characters
Examples:
- Weak:
P@ssw0rd!(8 chars, complex) → Crack time: < 1 second - Strong:
correct-horse-battery-staple(28 chars, simple) → Crack time: centuries
Uniqueness requirement:
❌ Bad: Same password everywhere
- gmail: MyPassword123!
- bank: MyPassword123!
- work: MyPassword123!
- → One breach = all accounts compromised
✅ Good: Unique password per account
- gmail: xK9mP#vL2nQ@zR4w
- bank: tF6jH$wN8cX@pL3y
- work: aR5gS#dM9vB@kJ7n
- → Each breach is isolated
Key insight: 65% of people reuse passwords. Attackers know this. When LinkedIn gets breached, they test those passwords on every bank, email provider, and service. Don’t be part of that statistic.
3. Enable Two-Factor Authentication (2FA)
Why: Even if your password is compromised, attackers can’t access the account without the second factor.
2FA method comparison:
| Method | Security Level | Phishing Resistant | Works Offline | Cost | Best For |
|---|---|---|---|---|---|
| Hardware Keys (YubiKey, Titan) | Highest | ✓ Yes | ✓ Yes | $20-50 | High-value accounts |
| Authenticator Apps (Authy, Google Auth, Microsoft Auth) | High | ✓ Yes | ✓ Yes | Free | Most accounts |
| SMS Codes | Low | ✗ No (SIM swap) | ✗ No | Free | Last resort only |
| Email Codes | Low | ✗ No (email hijack) | ✗ No | Free | Avoid for critical accounts |
Priority order: Enable 2FA on email first (protects password resets), then banking, then everything else.
4. Audit Passwords Regularly
Why: Detect compromised credentials before attackers use them.
How to check for breaches:
Visit haveibeenpwned.com and enter your email to see if it appears in known data breaches.
Password manager security audit checklist:
- Weak passwords (less than 12 characters)
- Reused passwords across multiple accounts
- Old passwords (older than 1 year for critical accounts)
- Compromised passwords flagged by breach databases
Schedule: Run audits quarterly. Update any flagged passwords immediately.
Common Pitfalls
Using Personal Information
The problem:
- Password:
John1985Smith - Includes: first name, birth year, last name
Why it’s bad: Attackers scrape social media for personal info. These are the first passwords they try.
The fix: Use completely random words or generated passwords. No names, birthdays, pet names, or addresses.
Simple Pattern Substitutions
The problem:
Password→P@ssw0rdhello→h3ll0password123→p@ssw0rd!23
Why it’s bad: Password crackers know these patterns. Dictionary + simple substitution attacks crack these in minutes.
The fix: Use truly random passwords from a password manager. No l33tspeak patterns.
Writing Passwords on Post-it Notes
The problem:
- Yellow sticky note on monitor: “Email: pass123”
- Notebook in desk drawer with all passwords
- Password taped under keyboard
Why it’s bad:
- Anyone with physical access can steal passwords
- Cleaning staff, coworkers, visitors can see them
- Lost/stolen notebooks expose all accounts
- Can’t update passwords easily - post-its multiply
The fix: Use a password manager. If you must write a password temporarily, destroy the note after memorizing it. Never leave passwords visible in your workspace.
Sharing Passwords via Text/Email
The problem:
- Text message: “WiFi password is MyHouse2024!”
- Email: “Here’s the admin password: admin123”
Why it’s bad:
- Stored in plain text on both devices
- Backed up to cloud services
- Potentially logged by carriers
- Accessible if phone is compromised
The fix: Use password sharing features in password managers. For temporary sharing, use services like OneTimeSecret.
Forcing Regular Password Changes
The problem:
Every 90 days: “Please change your password”
User creates:
- Q1:
Password1! - Q2:
Password2! - Q3:
Password3!
Why it’s bad: Forced rotation leads to weak patterns. Modern security guidance (NIST) says don’t do this.
The fix: Change passwords only when:
- You suspect compromise
- The service was breached
- You used it on an untrusted device
- You shared it and now need to revoke access
Quick Reference Checklist
Creating a new password:
- At least 12 characters (16+ for important accounts)
- Unique (not used anywhere else)
- Generated by password manager or random words
- No personal information (names, dates, places)
- No simple patterns (123, abc, qwerty)
Account security:
- 2FA enabled (hardware key or authenticator app)
- Recovery email secured with 2FA
- Security questions answered with random data (stored in password manager)
- Login notifications enabled
Password manager setup:
- Strong master password (20+ characters)
- 2FA enabled on password manager
- Emergency access configured
- Regular backups (if self-hosted)
Physical security:
- No passwords written on paper or post-it notes
- Lock computer when leaving desk
- Don’t type passwords when others can see screen
- Use privacy screen if working in public
Standards and References
- NIST SP 800-63B - Digital Identity Guidelines (password requirements)
- OWASP Authentication Cheat Sheet - Security best practices
- haveibeenpwned.com - Check if your credentials are compromised
- Password Manager Comparison - Independent reviews
Summary
Strong password security in 2025: length over complexity, unique passwords for every account, and a password manager to handle the cognitive load. Two-factor authentication is mandatory for any account that matters.
Key takeaways:
- Use a password manager: Human memory can’t handle 50+ unique passwords
- Generate unique, long passwords: 16+ chars, different for every account
- Enable 2FA: Hardware keys > authenticator apps > SMS
- Check breaches: Audit passwords quarterly at haveibeenpwned.com
- Physical security matters: No post-it notes, lock your screen, use privacy filters