A practical guide to strong passwords: how many characters you need, which character types to combine, and what to do when a website does not allow symbols.
A strong password is still one of the simplest ways to improve account security. The problem is that people naturally create passwords that are predictable: names, birthdays, favorite words, keyboard patterns, or the same password reused across multiple websites.
In this article, you will find practical recommendations for creating strong passwords for email, social media, Wi-Fi, and business accounts.
What makes a password strong
A strong password has three main properties:
- It is long enough.
- It is random, not a common word or pattern.
- It is unique for every account.
If you use the same password on several websites, one leaked database is enough. An attacker can try the same login details elsewhere.
Practical tip
Generate a strong password in seconds
Create a secure password in seconds.
Recommended password length
If you remember only one rule, remember this: length matters. In practice, a longer password with a sensible mix of characters is often better than a short password packed with symbols.
| Use case | Recommended length | Note |
|---|---|---|
| Email and social media | 16 characters | ideally uppercase/lowercase letters and numbers |
| Business/admin accounts | 20+ characters | add symbols too, if they are allowed |
| Wi-Fi password | 16-24 characters | some routers limit allowed characters |
Which characters to use
The strongest practical mix is:
- lowercase letters (a-z)
- uppercase letters (A-Z)
- numbers (0-9)
- symbols, for example
!@#$%
However, if a website or system:
- does not allow symbols,
- or creates problems when copying passwords, especially in older applications,
it is completely fine to use a longer password without symbols (for example 20+ characters) and focus on uniqueness and randomness.
Common password mistakes
- using one password "everywhere"
- short passwords (8-10 characters), even for sensitive accounts
- dictionary words and names, even with a number at the end
- patterns like
qwerty,asdfgh, or123456 - predictable variations, such as
Password2026!and thenPassword2027!
How to generate and use passwords without stress
The simplest workflow:
- Generate a password.
- Save it in a password manager.
- Enable two-factor authentication (2FA) for important accounts whenever possible.
Passwords with a password manager
If you use a password manager, which we recommend, you do not have to remember individual passwords. In that case, choose the longest password that is practical: ideally 20 characters or more, or the maximum length the website allows. Some services allow 64 or even 128 characters.
The only password you must remember is the master password for your password manager. It should be strong and unique, ideally a long phrase made from several unrelated words.
The recommendation to use at least 16 characters comes from CISA, the US Cybersecurity and Infrastructure Security Agency.
Quick checklist
- unique password for every account
- at least 16 characters, or 20+ with a password manager
- password manager
- 2FA for important accounts
