The dependable method is simple: let a cryptographically secure generator create a long, unique password, save it in a password manager, and enable a phishing-resistant sign-in method when the service offers one.
A practical recipe: Generate at least 15–20 random characters, never reuse the result, save it immediately, and add MFA or a passkey.
1. Start with uniqueness
Password reuse turns one website breach into a key for other accounts. The strongest improvement most people can make is assigning a different credential to every service.
2. Use random generation
People create patterns: capital letters at the beginning, dates at the end, familiar keyboard paths, names, and substitutions such as @ for a. Attack tools are built to exploit those habits. A secure generator avoids them.
3. Prefer length over composition tricks
NIST’s current guidance requires a minimum of 15 characters for passwords used as a single authentication factor and recommends allowing at least 64. It also advises against arbitrary composition rules that force a mix of character types. For a randomly generated password, 20 characters is a practical default.
4. Store it in a password manager
A password you cannot remember is not a failure when a manager can store and autofill it. Protect the manager with a strong, unique master passphrase and the best multi-factor option available.
5. Use passkeys where available
Passkeys use public-key cryptography and are designed to resist phishing. They reduce reliance on passwords but do not eliminate every recovery password, device PIN, encrypted file secret, or legacy login.
What to avoid
- Reusing one “strong” password across accounts
- Changing only a number at the end
- Using names, addresses, dates, teams, or quotations
- Saving passwords in screenshots, email drafts, or unencrypted notes
- Approving unexpected MFA prompts