Security guide

How to create and use a strong password

A practical checklist for password length, uniqueness, storage, MFA, and phishing resistance.

Direct answer

A strong password is unique, long enough for its use case, and stored safely. For an account where the password is the only factor, use at least 15 characters. Use a trusted password manager, enable MFA or a passkey, and never reuse the value on another service.

Checklist

1. Generate a new value for every account.
2. Prefer at least 15 or 16 characters for single-factor login.
3. Use the full character set accepted by the service.
4. Store the result in a trusted password manager.
5. Turn on MFA or a passkey.
6. Treat unexpected login pages and recovery requests as possible phishing.

Length versus composition

Length expands the number of possible values. Character variety can increase the pool, but a short password does not become automatically safe because it contains a symbol. Predictable human transformations such as adding 1! to a dictionary word remain easy to guess.

Unique means one service only

Password reuse turns one service breach into access to several accounts. A password manager makes unique random values practical because users do not need to memorize every credential.

Passwords do not stop phishing

An attacker can capture a strong password if the user enters it into a convincing fake page. MFA reduces some account-takeover risk, while phishing-resistant passkeys provide a stronger boundary when supported.

What to do after a suspected compromise

Change the affected password from a trusted device, revoke active sessions, review recovery details, enable stronger authentication, and change any reused credentials immediately.