How to Choose a Secure Password in 2021

The advice on password security has shifted significantly in the last decade. The old rules (mix uppercase, lowercase, numbers, symbols, change every 90 days) are out. The new rules (long, unique, never reused, paired with MFA) are in. The change matters because the old rules optimised for the wrong threat.

What modern attacks actually look like

Three attack patterns dominate today:

• Credential stuffing. Attackers replay passwords leaked from one breach against every other site. Complexity does not matter. Reuse does.
• Phishing. The user hands their password to a lookalike site. No password is strong enough to survive being typed into the wrong place.
• Database breach plus offline cracking. Stolen password hashes are cracked at billions of guesses per second. Length matters more than complexity here.

The rules that actually work

1. Long beats complex

NIST, the UK NCSC, and every modern guidance body now recommend length over composition rules. A sixteen-character passphrase made of common words is dramatically stronger against cracking than an eight-character random string, and infinitely easier to remember.

2. Unique per account

Reuse is the single largest source of account takeover. A password used on two sites is only as secure as the worst-secured of those sites. The cheapest defence against credential stuffing is to make stuffing pointless.

3. Use a password manager

The only practical way to maintain dozens of unique, long passwords is to delegate the job to software. Every major OS and browser ships one. Dedicated tools (1Password, Bitwarden, Dashlane) offer more features. Pick one and use it.

4. Drop the forced rotation

Forced 90-day rotation produced predictable patterns (Spring2024!, Summer2024!) without meaningful security benefit. Rotate when there is a reason: breach, suspected compromise, departing employee.

5. Check against breach corpora

"Have I Been Pwned" and its API are free. Any new password should be checked against the breach corpus before you adopt it. Many password managers do this automatically.

6. Pair with MFA

Even a perfect password is one phish away from compromise. MFA on every account that supports it. Passkeys where they are offered. SMS as a last resort, not a default.

What a good password actually looks like

The most useful pattern is the diceware passphrase: four to six random words from a large word list, separated by spaces or punctuation. Examples:

• correct horse battery staple
• granite-shovel-mango-treacle-pulse
• winter velvet narrow chrome 47

Each is easy to remember, hard to guess, and well outside the range of practical brute force. Generate them with a password manager or with a real diceware tool, not from your head: humans pick non-random words.

Special cases worth attention

• Master password. The one you actually have to remember. Make it long, unique, and never use it anywhere else. This is the key to your kingdom.
• Email account. Every password reset on every other account flows through here. Treat it like a master password.
• Banking and financial accounts. Long, unique, MFA mandatory, ideally phishing-resistant MFA.
• Recovery questions. Lie. The answer is not "your mother's maiden name." It is another random string stored in the password manager.

What to stop doing

• Stop writing passwords on sticky notes.
• Stop using "Password123!" because it meets the complexity rule.
• Stop using the same password for personal and work accounts.
• Stop relying on browser autofill on shared devices.
• Stop ignoring breach notifications. If a service emails you that your password leaked, change it immediately.

The bottom line

The best password is a long, unique, manager-generated passphrase, backed by MFA, and never reused. Adopt that pattern once and you defeat the overwhelming majority of attacks that target passwords today. The transition is mildly painful for a week and then you never think about it again.