by The Computing Australia Group | How to Create Strong
and Secure Passwords
Passwords are the front door to your digital life. They protect your money, private messages, business IP, social accounts, and everything in between. Yet year after year the same weak logins-123456, password, qwerty-keep showing up in breach dumps. This guide modernises the classic “create a strong password” advice with practical, step-by-step instructions you can implement today at home or across a company.
Why passwords still matter (even with biometrics and magic links)
- Universality: Passwords work everywhere-from old forums to mission-critical SaaS.
- Portability: You can sign in on almost any device, even without your phone.
- Recovery: When biometrics fail or you lose a device, passwords are the fallback.
The flip side: attackers target passwords relentlessly because they’re reusable and guessable. Your strategy must assume credentials will be attacked-and build resilience accordingly.
How attackers actually crack passwords (know the enemy)
1. Credential stuffing: Hackers try email/password combos leaked from one site on other sites. If you re-use passwords, you’re toast.
2. Dictionary + rules attacks: Automated tools try huge lists of common words plus patterns like Summer2025!.
3. Brute force: Try every possible combination. Length explodes the search space, making this impractical.
5. Offline cracking: If a site is breached and hashes are stolen, attackers can grind on them at high speed. Weak, short passwords fall quick.
Conclusion: The keys are length, uniqueness per site, and a process that resists phishing (password manager + MFA + security hygiene).
What makes a password strong in 2025?
A strong password (or passphrase) is:
- Long: Aim for at least 14–16 characters. 20+ is even better, especially for high-value accounts.
- Unique:One password per site. No exceptions.
- Random or unpredictable: Avoid common substitutions (P@ssw0rd!), dates, names, pets, lyrics, sports teams, or anything you’ve posted online.
- Stored safely: Use a password manager-not spreadsheets, notes apps, or your memory.
A strong system goes further:
- MFA everywhere: Prefer authenticator apps or passkeys; avoid SMS when possible.
- Phishing-resistance: Let your manager auto-fill only on the real domain; double-check URLs.
- Sensible rotation: Don’t rotate on a schedule “just because.” Change after compromise, role changes, or when a site warns you.
Choose your approach: passphrase vs generated password
There are two practical routes. Pick one and stick with it.
Option A: Memorable passphrases (great for a handful of logins)
- ombine 4–6 random words with light separators:
- Add a little spice (but avoid predictable leetspeak):
- Pros: Easy to type and remember; very long.
- Cons: Harder to scale across dozens of accounts without a manager.
Option B: Manager-generated passwords (best for most people)
- Let the manager create 20–30 character random strings, including letters, numbers, and symbols.
- You remember one very strong master passphrase (20+ chars).
- Pros: Strongest and simplest at scale; fast to rotate; works across platforms.
- Cons: Requires trusting a reputable tool and keeping backups/recovery sorted.
Building a bulletproof password system (step by step)
1) Pick a reputable password manager
There are two practical routes. Pick one and stick with it.
- Cross-platform support (Windows/macOS/iOS/Android/Linux).
- End-to-end encryption and zero-knowledge design.
- Local export/backup options and emergency access for a trusted person.
- Passkey support (WebAuthn), secure sharing (for teams), and breach alerts.
2) Create a master passphrase you’ll never forget
- Use 5–7 random words you can visualise:
- Don’t reuse it anywhere. Don’t write it on a sticky note at your desk.
- Consider a memory trick (story/image) to cement it.
3) Enable biometrics and a strong device lock
- Face/Touch ID for convenience on top of the master passphrase, not instead of it.
- Set a device PIN/passcode that isn’t 1234/0000/birthday.
4) Turn on MFA (2-step verification) for your key accounts
Prioritise: email, bank, password manager, domain registrar, cloud storage, work apps.
- Prefer Authenticator apps (TOTP), hardware keys, or passkeys.
- Avoid SMS when possible (still better than nothing).
5) Import or create unique logins for everything
- For each site, generate a new 20–30 character password.
- Use unique emails or aliases for high-value targets (some email providers let you create aliases like name+bank@domain.com).
- Save security questions with fake answers stored in your manager (treat them like passwords).
6) Clean up old, weak, or reused credentials
- Many managers include a security audit that flags reused or weak passwords and breached sites.
- Replace weak ones first on email, banking, cloud, social, work apps.
- Remove dormant accounts you no longer need (less surface area to defend).
7) Prepare for “oh no” moments
- Store backup codes for important accounts in your password manager’s secure notes.
- Set up emergency access to your vault for a trusted person (business continuity).
- Keep offline recovery: an encrypted export stored safely, rotated periodically.
The do’s and don’ts of password creation
Do
- Use length over complexity. A long passphrase often beats a short jumble.
- Let your manager handle complexity. Don’t overthink it-click “generate.”
- Keep MFA recovery codes. They are your lifeline after phone loss.
- Use domain matching. Only auto-fill when the URL is exactly right.
Don’t
- Reuse passwords across sites-ever.
- Share passwords over email/DM/slack in plain text. Use secure sharing features.
- Rely on leetspeak (P@ssw0rd!)-attackers try those first.
- Use personal info (birthdays, pets, addresses, favourite team).
- Rotate arbitrarily (monthly/quarterly) unless policy or risk requires it; it often backfires into weaker patterns like Spring2025!.
Special cases and pro tips
Banking & government logins
- Use passkeys or hardware keys if offered.
- Keep email MFA rock-solid; it’s the gateway to resetting everything.
Work accounts (for admins and managers)
- Enforce SSO (Okta/AAD) where possible.
- Require MFA for admins and remote access.
- Disable password paste restrictions (they encourage weak, memorable passwords).
- Provide a company-approved password manager with shared vaults, role-based access, and offboarding workflows.
- Follow sensible rotation: after suspected compromise, role change, or high-risk exposure-not on a random calendar.
Shared accounts (vendors, social media, tools)
- Prefer user-based access with roles.
- If you must share, use the manager’s secure sharing (no revealing the secret), and rotate after people leave.
Travel mode / high-risk periods
- Some managers support Travel Mode to hide selected vaults.
- Beware of shoulder surfing and fake Wi-Fi portals; use a VPN and disable autofill on unknown pages.
Security questions: treat as extra passwords
- Use nonsense answers only you know, stored in your manager.
- If forced to pick a real question, invent a fake detail:
- Q: “Mother’s maiden name?”
- A: bridge-tangelo-sunday
- This defeats social media sleuthing.
What about changing passwords “regularly”?
Old advice said “change your password every 30–90 days.” Modern guidance is different:
- Change immediately after a breach, phishing incident, or suspicious activity.
- Rotate when someone leaves your team and had shared access.
- Review annually for high-value accounts if they’ve been static for years.
- Do not force frequent, arbitrary changes-people pick weaker patterns under pressure.
Recognising and avoiding phishing
- Check the domain carefully: accounts.google.com ≠ google.accounts.com-login.io.
- Never approve a push MFA you didn’t initiate-deny and change your password.
- Use your manager to navigate to sites (search the vault and open) instead of clicking email links.
- Report suspicious emails to your provider or IT.
What to do after a suspected compromise (incident playbook)
1. Disconnect from untrusted networks; run a malware scan if relevant.
2. Change the password for the affected account from a known-good device.
3. Rotate MFA: revoke old devices, issue new backup codes, re-enrol TOTP/hardware keys.
4. Check sessions/devices and sign out of all others.
5. Review email forwarding rules (attackers often add hidden rules to siphon messages).
6. Audit your vault for reused passwords and update them.
7. Enable alerts and monitor for a few weeks.
Password generators: quick options (and when to use them)
Most good password managers include generators. If you ever need stand-alone generation (e.g., on a locked-down corporate machine), you can:
- Use your manager’s web generator or browser extension in a private window.
- On macOS, Keychain Access can generate strong passwords for Safari logins.
- On Linux, pwgen or openssl rand -base64 24 (for advanced users).
- For passphrases, use a diceware-style generator or your manager’s passphrase mode (4–6 random words).
Team rollout plan (business)
1. Standardise on one manager (business plan) with SSO integration.
2. Baseline policy: minimum 16 characters, no reuse, MFA required, sharing via vaults only.
3. MFA across the stack: email, cloud storage, accounting, CRM, HRIS, source control.
4. Onboarding:short live demo, quick wins (import, audit, mobile setup).
5. Quarterly audits: check for reuse, weak passwords, disabled MFA.
6. Offboarding: revoke access, rotate shared secrets, export needed credentials for handover.
Plain-English examples
- Good passphrase: pebble-canvas-orchid-lantern-skyline (5 random words, separators)
- Good manager password: cQ3p@Z9R4V7!uYb6F2jT^mW8 (don’t craft these by hand-generate)
- Bad passwords: Password!, CompanyName2025, Melbourne2025!, pet names, birthdays, phone numbers.
Creating strong passwords is one of the pillars of safe internet browsing. These eight tips can help you build strong passwords and protect your information from malicious hackers. For any queries on cybersecurity reach out to us cybersecurity@computingaustralia.group or use our Contact Us page. Our team from Perth will be available round the clock to assist you with any digital queries.
Jargon Buster
Cybersecurity: Cybersecurity refers to practices that protect systems, networks, and individuals from digital attacks.Password Manager: An application that allows users to generate and store their passwords for online services.
FAQ
Are passkeys replacing passwords?
Passkeys (built on WebAuthn) are excellent and phishing-resistant. Use them wherever offered. For many services, passwords will linger-so keep your password system healthy.
Is SMS MFA useless?
Not useless-better than nothing-but weaker than authenticator apps or hardware keys due to SIM-swap risk.
Can a site see my manager-stored password?
Sites only see what you submit in their login form. The vault itself is encrypted and the provider can’t read it (in a zero-knowledge design).
What if I forget my master passphrase?
With a reputable manager, that may mean permanent loss of the vault. Use recovery features (emergency contacts/recovery keys) and write a secure SOP for your family or team.
Should I store passwords in a browser only (Chrome/Edge/Firefox)?
Browsers have improved, but dedicated managers add zero-knowledge architecture, secure sharing, breach monitoring, and portability across ecosystems. Many people combine both (browser for convenience, manager as the source of truth).
