The 123456 Problem Is Worse Than You Think
In December 2021, NordPass published its annual list of the most common passwords. Sitting at number one — for the third year running — was "123456." Number two? "123456789." These aren't passwords from 2005. They're passwords people are using right now, in 2022, on accounts that protect their banking, email, and medical records.
I've worked incident response cases where a six-figure ransomware payout traced back to a single employee using "Company2021!" as their domain password. Knowing how to create a strong password isn't just good hygiene — it's the difference between a normal Tuesday and a catastrophic data breach.
This post gives you the exact methods I recommend to clients, backed by NIST guidelines and real-world breach data. No vague advice. No "just make it longer." Actual steps you can implement in ten minutes.
Why Most "Strong" Passwords Aren't Strong at All
Here's the dirty secret: the traditional password rules — uppercase, lowercase, number, special character — create passwords that are hard for humans to remember and easy for machines to crack. "P@ssw0rd1!" checks every complexity box. It also appears in virtually every credential stuffing dictionary on the planet.
The 2021 Verizon Data Breach Investigations Report found that 61% of breaches involved credentials. Not sophisticated zero-day exploits. Not nation-state threat actors deploying custom malware. Stolen or weak passwords. That's the reality. You can read the full report at Verizon's DBIR page.
Password spraying attacks — where an attacker tries a small set of common passwords against thousands of accounts — succeed because people keep choosing predictable patterns. Capital letter first, numbers at the end, exclamation point to finish. Attackers know the pattern because we taught it to them with our own complexity rules.
How to Create a Strong Password: The Method That Actually Works
NIST updated its Digital Identity Guidelines (SP 800-63B) and fundamentally changed the game. The key takeaway: length beats complexity every time. You can review the full guidelines at NIST's SP 800-63B page.
Here's my recommended approach, step by step.
Step 1: Use a Passphrase, Not a Password
Pick four to six unrelated words and string them together. "correct horse battery staple" became famous from the XKCD comic, but the principle is sound. Something like "Umbrella Telescope Mustard7 Railroad" gives you 35+ characters that you can actually remember.
A brute force attack against a random 8-character complex password can succeed in hours using modern GPU clusters. That same attack against a 30-character passphrase? Centuries. The math isn't close.
Step 2: Make It Personal but Not Predictable
Don't use song lyrics, movie quotes, or Bible verses. Attackers build dictionaries from those sources. Instead, combine words from different mental categories — a color, an animal, a kitchen item, a weather word. "Crimson Otter Spatula Hailstorm" is both memorable and essentially unguessable.
Avoid anything connected to your social media presence. Your dog's name, your anniversary, your hometown — threat actors scrape that information for targeted credential theft attacks in minutes.
Step 3: Add One Deliberate Imperfection
Drop a number or symbol between two of the words. Not at the end — in the middle. "Crimson8Otter Spatula Hailstorm" or "Crimson Otter$Spatula Hailstorm." This defeats dictionary-based passphrase attacks while keeping the password memorable.
Step 4: Never Reuse It. Ever.
The Colonial Pipeline ransomware attack in May 2021 was linked to a compromised VPN password that appeared in a previous data breach. One reused credential. $4.4 million ransom paid. 5,500 miles of pipeline shut down.
Every account gets its own password. Full stop. I'll explain how to manage this realistically in the next section.
The Password Manager Question
"I can't remember 200 unique passphrases." You're right. You don't have to.
Use a password manager. Create one extremely strong master passphrase using the method above — that's the one password you memorize. The manager generates and stores everything else. Your individual account passwords can be 40-character random strings you never even see.
I've heard every objection. "What if the password manager gets hacked?" It's a valid concern. LastPass, for example, uses zero-knowledge architecture — they can't see your vault contents. But even accounting for that risk, using a password manager is orders of magnitude safer than reusing "Summer2022!" across 47 accounts.
The alternative — a spreadsheet, a sticky note, or the same password everywhere — is what threat actors are counting on.
Multi-Factor Authentication: Your Password's Bodyguard
Even the strongest password in the world can be phished. An attacker sends a convincing email, you enter your credentials on a spoofed login page, and your 40-character passphrase is in their hands. This is social engineering at its most effective, and it works against smart people every day.
That's why multi-factor authentication (MFA) is non-negotiable. When you pair a strong password with MFA, credential theft alone isn't enough. The attacker also needs your phone, your hardware key, or your biometric data.
Enable MFA everywhere it's available. Prioritize email, banking, cloud storage, and any account that could be used to reset other passwords. Hardware tokens like YubiKeys are the gold standard, but even SMS-based MFA — despite its known weaknesses — is dramatically better than a password alone.
What About Security Questions?
Security questions are backdoor passwords with worse security. "What's your mother's maiden name?" is public record. "What city were you born in?" is on your Facebook profile.
Treat security questions as additional password fields. Give false answers and store them in your password manager. Your mother's maiden name is "Turbine." The city you were born in is "Kaleidoscope." The answers don't have to be real. They have to be consistent and unguessable.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2021 Cost of a Data Breach Report put the average breach cost at $4.24 million — the highest in 17 years of the study. Compromised credentials were the most common initial attack vector, and breaches caused by stolen credentials took an average of 341 days to identify and contain.
If you're responsible for security at your organization, password policy isn't a checkbox exercise. It's a financial decision. Every employee using a weak or reused password is an open door.
This is where security awareness training makes a measurable difference. At computersecurity.us, we offer cybersecurity awareness training that covers password security, social engineering recognition, and practical steps employees can take today. It's the kind of training that changes behavior, not just checks a compliance box.
Phishing: The Fastest Way to Lose a Strong Password
Creating a strong password means nothing if you hand it directly to an attacker. Phishing remains the number one delivery mechanism for credential theft. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most common cybercrime type in 2021, with nearly 324,000 complaints. You can see the latest data at ic3.gov.
Modern phishing attacks don't look like the Nigerian prince emails of 2006. They're pixel-perfect replicas of Microsoft 365 login pages, urgent messages from "your CEO," and fake password reset notifications. Even security-savvy employees fall for well-crafted phishing simulations at surprising rates.
Running regular phishing simulations is one of the most effective ways to build resistance. Our phishing awareness training for organizations gives your team hands-on experience recognizing and reporting phishing attempts — before a real threat actor tests them.
Quick-Reference: How to Create a Strong Password
This is the checklist I give to every client:
- Minimum 16 characters. Longer is better. Passphrases of 4-6 random words are ideal.
- No personal information. No names, dates, pet names, or anything on your social media.
- No dictionary words standing alone. Combine unrelated words with a number or symbol inserted between them.
- Unique for every account. One account, one password. No exceptions.
- Use a password manager to generate and store complex passwords.
- Enable multi-factor authentication on every account that supports it.
- Never share passwords via email, text, Slack, or Teams. Legitimate IT departments will never ask for your password.
- Change immediately if you suspect any compromise or if a service you use announces a breach.
What NIST Says You Should Stop Doing
NIST's updated guidelines also killed several sacred cows that many organizations still cling to:
Stop Forcing Regular Password Changes
Mandatory 90-day password rotations sound secure. In practice, they produce "Winter2022!" → "Spring2022!" → "Summer2022!" patterns. NIST now recommends changing passwords only when there's evidence of compromise. If the password is strong and unique, forced rotation makes it weaker, not stronger.
Stop Requiring Arbitrary Complexity Rules
Mandating "at least one uppercase, one lowercase, one number, one special character" pushes users toward predictable substitutions. "P@$$w0rd" satisfies the rules and provides zero security. Focus on length and uniqueness instead.
Stop Using Password Hints
Password hints stored in plaintext are an attacker's gift. If your system still supports hints, disable them. They leak information about the password to anyone who can see the hint.
Building a Zero Trust Mindset Around Credentials
The zero trust security model assumes that no user or device should be trusted by default — even inside your network. Passwords are one layer of a broader identity verification strategy.
Strong passwords matter. But they're part of an ecosystem that includes MFA, endpoint detection, network segmentation, and continuous monitoring. If your organization treats password policy as its entire identity security strategy, you're exposed.
Start with passwords because they're the foundation. Then layer on MFA, invest in security awareness training, and run regular phishing simulations to test your defenses.
The 10-Minute Action Plan
Here's what I want you to do today — not tomorrow, not next quarter:
- Pick your three most critical accounts (email, banking, primary cloud service) and change their passwords to strong, unique passphrases using the method above.
- Install a password manager and begin migrating your accounts into it.
- Enable MFA on every account that offers it, starting with email.
- Check computersecurity.us for training resources that walk you through these steps and cover broader security awareness topics.
- If you manage a team, enroll them in phishing awareness training this week. Not next month. This week.
Knowing how to create a strong password is foundational. It's the single cheapest, fastest security improvement any individual or organization can make. The attackers aren't waiting. Neither should you.