Threatcare

Clear, practical help to spot scams, avoid fraud, and recover if you've been caught out.

Spot the scam, protect your money, recover if it happens.

How to Create Strong Passwords That Survive a Data Breach

By David Mercer  |  Reviewed by Dana Whitaker, CFE

Published · Last reviewed

Key takeaways

  • A strong password is long and unique: length beats a clever mix of symbols, and reusing one password is the single change that turns one breach into many.
  • A passphrase of four or more random words is easy for you to remember and slow for a computer to guess.
  • A password manager generates and stores a different long password for every account, so you only have to remember one master passphrase.
  • Pair strong passwords with two-factor authentication: even a stolen password should not be enough to get into your account on its own.
  • Assume some of your old passwords are already exposed; change the reused ones first, starting with email and banking.

A strong password is long, unique to one account, and ideally generated and stored by a password manager so you never have to memorise it. Length matters more than a clever scramble of symbols, and using a different password on every site is the single habit that stops one company’s data breach from unlocking the rest of your life.

What actually makes a password strong

A strong password is hard to guess because it is long and unpredictable, not because it has a capital letter and an exclamation mark bolted on. The US Cybersecurity and Infrastructure Security Agency advises long passwords or passphrases over short, complex strings, because every extra character multiplies the time an attacker’s software needs to crack it. Aim for at least 12 characters and treat longer as better.

Just as important is what a strong password is not: it is not a name, a birthday, a pet, a sports team, or anything a stranger could read off your social media in five minutes. Scammers research targets before they strike, and the same details that help them impersonate your bank also help them guess your login.

Passphrases: long, random, and memorable

A passphrase is a string of four or more random, unrelated words, and it is the easiest way for a human to hold a genuinely strong password in their head. Something like four unconnected words strung together is long enough to defeat brute-force guessing yet easy to recall, where a short string of symbols is both harder to remember and faster for a computer to break.

The trick is randomness. A line from a famous song or a common phrase is weak because cracking tools already feed on dictionaries, leaked passwords, and quotes. Pick words that have no logical link to each other and nothing to do with you.

Why reusing a password is the real danger

Reusing a password is the most expensive mistake, because it converts a single breach into a breach of everything. When a website is hacked, criminals harvest the stolen email and password pairs and run them automatically against banks, email providers, and shops, an attack known as credential stuffing. If you used the same password there, a breach you never even heard about can quietly open your most important accounts.

I learned this the slow way. After I lost most of my savings to a scam, I sat down to clean up my accounts and realised I had used one “strong” password, with tiny tweaks, on more than thirty sites: my email, my bank, old forums I had forgotten existed. Any one of those forums getting breached would have handed someone the keys to all of it. Changing them one by one, late into the night, was the moment the abstract advice finally became real to me.

Use a password manager so you only remember one

A password manager is an encrypted vault that generates and stores a unique long password for every account, so the only thing you have to remember is one master passphrase. The FTC recommends password managers precisely because no human can invent and recall a different strong password for dozens of sites; the software does the part we are bad at.

Choose a reputable manager, protect it with a long master passphrase you use nowhere else, and turn on two-factor authentication for the vault itself. From then on, every new account gets a random password you never see, never type, and never reuse. If a site is breached, only that one password is exposed.

Pair every password with two-factor authentication

Two-factor authentication means a stolen password alone is not enough to log in, because a second step (a code or a tap on your phone) is also required. Even the strongest password can be phished or leaked, so the goal is layers: a unique password contains the damage of a breach, and the second factor blocks the attacker who has the password anyway. For how it works and which methods are strongest, see two-factor authentication explained.

One warning that ties back to scams: a one-time passcode is a second factor, not something you ever read aloud. No real bank or company will ever phone and ask you to confirm a code. Anyone who does is trying to bypass the very protection that code exists to provide.

What to do today

Start with the accounts that matter most, in this order: email first (because it can reset everything else), then banking, then anywhere you have shopped or saved a card. Give each a long unique passphrase or a manager-generated password, and switch on two-factor authentication.

If you suspect a password is already in the wrong hands, treat it as part of a wider clean-up. Changing exposed passwords and enabling two-factor authentication are core steps in recovering from account takeover; the full sequence is in identity theft: what to do.

This is general information, not individual legal, financial, or security advice. If you believe an account has been compromised or you have been targeted by a scam, report it to the proper authorities, such as the FTC at ReportFraud.ftc.gov or the FBI Internet Crime Complaint Center.

References

  1. Use Strong Passwords, Cybersecurity and Infrastructure Security Agency (CISA).
  2. Creating Strong Passwords and Other Ways to Protect Your Accounts, FTC Consumer Advice.
  3. Identity Theft, US Federal Trade Commission.

Frequently asked questions

What makes a password strong?

Length and uniqueness, more than special characters. A long passphrase of four or more random words is harder for software to crack than a short password full of symbols, and using a different password on every account means a breach of one site cannot unlock the others. Avoid names, birthdays, and anything a stranger could find on your social media.

How long should a password be?

Aim for at least 12 characters, and longer is better; many security bodies now favour long passphrases over short complex strings. The US Cybersecurity and Infrastructure Security Agency recommends long passwords or passphrases combined with two-factor authentication, because length is what makes guessing slow.

Are password managers safe to use?

For most people they are far safer than the alternative, which is reusing a handful of weak passwords. A reputable password manager encrypts your vault so only your master passphrase can open it, generates a unique long password for every site, and fills them in for you. You protect the manager itself with a strong master passphrase and two-factor authentication.

Why is reusing the same password dangerous?

When a website is breached, criminals take the stolen email and password pairs and try them on banks, email, and shopping sites in an automated attack called credential stuffing. If you reused that password, one breach you never heard about can quietly open your other accounts. A unique password per site contains the damage to the one site that was breached.

How often should I change my passwords?

Routine scheduled changes are no longer recommended, because they push people toward weak, predictable variations. Change a password when a service reports a breach, when you suspect it was exposed, or when you find you reused it elsewhere. The bigger wins are making each password long and unique and turning on two-factor authentication.

Should I write my passwords down?

A password manager is better, but a notebook kept physically safe at home is far better than reusing one memorable password everywhere. The real risk for most people is online theft and credential stuffing, not a burglar reading a notebook. Never store passwords in an unprotected file or email, and never share a one-time passcode with anyone.

Written by David Mercer. Reviewed by Dana Whitaker, CFE.

Our guides are written from personal experience and reviewed by a qualified fraud and security professional for accuracy. Read our editorial policy.

Related articles