Password Security 101: How to Create Strong Passwords

Most people think about password security backwards. They focus on making each individual password harder to guess - swapping an "o" for a zero, adding an exclamation point at the end - while reusing that same password across a dozen different accounts. The truth is that password strength matters far less than most people assume, and reuse matters far more. This guide walks through what actually keeps accounts safe: how password strength is measured, when a passphrase beats a random string, why two-factor authentication does more work than any password ever could, and how to generate and store backup codes you can rely on.

The Real Threat: Password Reuse, Not Weak Passwords

Here is the scenario that causes the vast majority of account takeovers: a smaller website you signed up for years ago - a forum, a newsletter, a one-time purchase - gets breached. The attackers do not target you specifically. They dump the entire database of email and password pairs, then run those same pairs against major sites like email providers, banks, and social media. If you used the same password on the breached site and your email account, the attacker now has your email. From there, they can reset passwords on almost everything else you own.

This is called credential stuffing, and it is almost entirely automated - bots can try millions of leaked email and password combinations against login pages in minutes. The defense is not a more complicated password. It is a different password for every account, so a breach on one site cannot unlock the rest of your digital life. A password manager makes this practical: you remember one master password, and the manager remembers (and fills in) hundreds of unique ones. Without a manager, even writing unique passwords on paper and keeping that paper secure is safer than reusing one password everywhere.

What Makes a Password Strong: Understanding Entropy

Entropy is a measure of how unpredictable a password is, expressed in bits. Each bit of entropy doubles the number of guesses an attacker would need to try before finding your password by brute force. A password with 40 bits of entropy has roughly a trillion possible combinations. One with 60 bits has roughly a billion times more than that. This is why length matters so much more than complexity rules: every additional character multiplies the search space, while forcing a symbol into a password you'll just write on a sticky note barely moves the needle.

A common myth is that "P@ssw0rd!" is strong because it has a number, a symbol, and a capital letter. It is not - it is one of the first variations a cracking tool tries, because it follows a pattern everyone uses. A genuinely strong password either looks like a long string of random characters with no pattern at all, or a long sequence of unrelated words. Both can reach the same entropy; the difference is which one is easier for a human to type and remember.

This is also why dictionary attacks work so well against "creative" substitutions. Cracking tools maintain enormous lists of real words, names, and common phrases, then automatically test every variation - capitalizing the first letter, appending a year, swapping letters for look-alike numbers. A password built from a real word plus a predictable suffix might look unique to a human eye, but to a cracking tool it is just one entry in a list with a handful of known transformations applied. The only passwords that resist this approach are ones with no underlying word or pattern to look up in the first place.

Passphrases vs Random Strings: Picking the Right Generator

A random string like k8#mQ2!vL9pXz and a passphrase like "correct-horse-battery-staple-42" can land at similar entropy levels, but they serve different purposes. Random strings are best for accounts you will only ever paste from a password manager - they are short, dense, and you will never type them by hand. Passphrases are better for the handful of passwords you genuinely need to memorize and type often, such as your device login or your password manager's master password, because chaining together unrelated words is far easier for a brain to retain than a string of symbols.

The mistake to avoid with passphrases is picking words that relate to each other or to you - "bluesky-summer-vacation-2024" is guessable because the words form a coherent, personal idea. Truly random, unrelated words ("ladder-trumpet-cactus-windmill") are far stronger because there is no narrative for an attacker (or a guessing algorithm trained on common phrases) to latch onto. Either way, the fastest and most reliable way to generate either type is a dedicated tool rather than typing something off the top of your head, since human-generated "randomness" is consistently more predictable than we think.

Encoding Is Not Encryption: What Base64 Actually Does

One misconception worth clearing up directly: Base64 is not a security feature. It is an encoding scheme that converts binary data into plain text characters, commonly used to embed images in HTML, attach files to emails, or pass data through systems that only handle text. Base64 has no key and no secret - anyone can decode it instantly using a free online tool, so it provides zero confidentiality.

The reason this matters for password security is that some people, and occasionally some poorly designed systems, store or transmit passwords "encoded" in Base64 and treat that as if it were encryption. It is the equivalent of writing a password backwards and calling it a cipher. If you ever come across a login system that stores your password in a way that looks like Base64 (it typically ends in one or two equals signs and uses only letters, numbers, plus, and slash characters), that is a red flag about how seriously that site takes security - not a sign that your password is protected. You can see exactly how reversible this is yourself with a Base64 Encoder, which decodes Base64 text back to its original form instantly.

Two-Factor Authentication and Backup Codes

If password reuse is the biggest risk, two-factor authentication (2FA) is the single biggest mitigation. With 2FA enabled, a stolen password alone is not enough to log in - the attacker also needs a code from your phone, an authenticator app, or a hardware key. This is why security teams consistently rank "turn on 2FA" above "use a more complex password": it neutralizes the most common attack (a leaked password from another site) almost completely.

Not all 2FA methods are equally strong, though it is worth saying that any 2FA is better than none. Codes sent by text message are the most common and the easiest to set up, but they are also vulnerable to SIM-swapping, where an attacker convinces your carrier to move your phone number to a device they control. Authenticator apps, which generate a new code every thirty seconds directly on your device with no network connection involved, close that gap. Hardware security keys go a step further, requiring a physical device to be present at login. For most people, an authenticator app is the practical sweet spot: meaningfully stronger than SMS, and far easier to manage day to day than a physical key.

The catch with 2FA is recovery. If your phone is lost, broken, or wiped, and that phone was your only way to receive codes, you can be locked out of your own accounts entirely. This is what backup codes are for - most services that support 2FA let you generate a set of one-time recovery codes when you first set it up. The mistake people make is skipping this step, or generating codes that are easy to guess by reusing a birthday or phone number as a "random" sequence. When a service lets you choose your own backup PIN or recovery sequence, generate it properly with a Random Number Generator rather than picking something memorable, and store the result somewhere separate from your phone - printed and filed, or in your password manager's secure notes.

Setting Up 2FA and Sharing Logins Safely with QR Codes

Most authenticator apps set up 2FA by scanning a QR code shown on the website you are securing. That QR code encodes a secret key that links your authenticator app to your account, so it should be treated with the same care as a password - never share a screenshot of a 2FA setup QR code with anyone, and never post one publicly, since whoever scans it can generate the same login codes your account expects.

QR codes themselves are simply a way of encoding text (a URL, a Wi-Fi password, a setup key) into a scannable image, and they show up constantly in account security flows: linking a new device to a messaging app, sharing a guest Wi-Fi password without typing it character by character, or pointing someone to a document with setup instructions. Understanding how they work makes it easier to spot when one looks out of place - for example, a 2FA setup screen that asks you to scan a QR code you did not generate yourself is a sign something is wrong.

Building a Personal Password Policy You'll Actually Follow

The best password policy is the one you can maintain without friction, because a policy you abandon after two weeks protects nothing. A practical version looks like this: install a password manager and let it generate and store a unique random password for every account you create going forward. Pick three to five passphrases for the accounts you must type from memory - your device, your password manager, and maybe one or two others - and make those passphrases long, unrelated-word combinations rather than personal phrases.

Turn on two-factor authentication for email, banking, and your password manager first, since those accounts can be used to reset everything else. Generate backup codes when you do, and store them somewhere that is not your phone. Finally, set a recurring reminder - every six months or so - to update passwords on any account where you reused an old one before adopting this system, starting with email and financial accounts. None of this requires memorizing dozens of complex strings. It requires a handful of strong habits, applied consistently, which is exactly what makes a security policy actually work over time.