123456 is still the most common password. Here's how to generate truly unbreakable passwords, check if yours have been leaked, and manage them without losing your mind.
Let me tell you something that should scare you. Right now, as you're reading this, there are machines running 24/7 whose sole purpose is to crack passwords. Not a few passwords. Billions of them. And they're frighteningly good at it.
I've been studying password security for years — watching breaches unfold in real time, analyzing leaked databases, testing cracking tools against my own credentials to see how fast they'd fall. The conclusion I've reached is simple: most people's passwords would be cracked before they could finish reading this paragraph.
This isn't a theoretical exercise. In 2025 alone, over 4.5 billion credentials were exposed in data breaches. Your email address is almost certainly in at least one of those databases. The question is whether the password attached to it is something that can be cracked in seconds — or something that would take longer than the remaining lifespan of the sun.
I wrote this guide because I got tired of vague security advice. "Use a strong password" is about as useful as "eat healthy." Everyone says it, nobody explains what it means. Today I'm fixing that.
Every year, security researchers analyze billions of leaked credentials to determine the most commonly used passwords. Every year, the results are depressing. Here are the top 20 most common passwords as of early 2026:
If any of those are your password — or even close to your password — stop reading and go change it right now. Seriously. I'll wait.
The thing that kills me about this list is how little it changes year to year. "123456" has been the most common password for over a decade. We've had massive breaches, we've had security awareness campaigns, we've had websites begging people to create stronger passwords — and still, millions of people type "123456" into the password field and think they're done.
But here's what's truly alarming: these aren't just passwords for throwaway accounts. These same patterns show up on banking sites, email accounts, and corporate systems. People use "password1" to protect their life savings.
Before I tell you how to generate strong passwords, you need to understand how attackers crack weak ones. Because once you see the mechanics, the solution becomes obvious.
This is the simplest approach. Try every possible combination until you find the right one. "aaa" then "aab" then "aac" all the way to "zzz" and beyond. With a 6-character lowercase password, that's 308 million combinations. Sounds like a lot, right?
A modern GPU can test 100 billion password hashes per second. That 6-character password falls in approximately 0.003 seconds. Not three seconds — three thousandths of a second.
Bump it to 8 characters with uppercase, lowercase, numbers, and symbols (95 possible characters per position): 6.6 quadrillion combinations. Sounds astronomical. At 100 billion guesses per second, it falls in roughly 18 hours.
At 12 characters with the same character set? 540 sextillion combinations. Now we're talking about 171,000 years at the same speed.
Length matters. Exponentially.
Nobody actually brute-forces from "aaaaaa" to "zzzzzz" anymore. That's the caveman approach. Modern cracking tools use dictionaries — massive word lists compiled from every previous data breach.
These dictionaries don't just contain the word "password." They contain every variation humans have ever used:
A typical cracking dictionary contains 14 billion entries with rule-based mutations. Your "clever" substitution of @ for a? It's in the dictionary. Your birth year appended to your pet's name? In the dictionary. Your favorite movie character with a ! at the end? Dictionary.
Here's a quick explanation for the non-technical folks. Websites (should) store your password as a "hash" — a one-way mathematical transformation. Your password "fluffy123" gets turned into something like "a7f3b9c2d1e4f5..." and that's what's stored. When you log in, the site hashes what you type and compares it to the stored hash.
A rainbow table is a precomputed lookup table. Attackers calculate hashes for trillions of common passwords in advance, then when they steal a database, they just look up each hash in their table. Instant match.
Good sites use "salting" — adding random data to your password before hashing — which defeats rainbow tables. But not all sites do this properly. Some still use plain MD5 or SHA-1 without any salt. If your password exists in a rainbow table and the site didn't salt their hashes, your password is compromised the instant the database leaks.
This one doesn't crack your password at all. Attackers take email/password combinations from one breach and try them on other services. Because most people reuse passwords across multiple accounts, this works with terrifying frequency.
An estimated 65% of people reuse the same password across multiple services. If LinkedIn gets breached and your password there was "MyDog$Max2024," attackers will try that same combination on Gmail, Amazon, Netflix, your bank, and every other popular service. Automatically. Within hours of the breach becoming available.
This is why using a unique password for every account isn't optional advice. It's survival.
Now that you understand the threats, let's build a defense. A strong password needs to survive all of the attack methods above. Here's what that requires:
This is the most important thing I'll say in this entire post: length beats complexity every single time.
Let me prove it with math.
"P@$$w0rd!" (9 characters, highly complex):
"correct horse battery staple" (28 characters, four common words):
The first password looks secure. It has every character type. It would pass almost every website's password requirements. And it would fall instantly.
The second password looks simple. It's four common English words. But 28 characters of entropy is 28 characters of entropy, and no amount of GPU power can compress that.
Based on current cracking speeds and projected hardware improvements over the next decade, here are my recommendations:
If you take nothing else from this post: make your passwords at least 16 characters long.
Length is primary, but mixing character types does help — not because it makes dictionary attacks harder (those test mixed character sets too), but because it increases the search space for brute-force attacks.
A 16-character password using only lowercase letters: 26^16 = 43 septillion combinations. A 16-character password using all ASCII printable characters: 95^16 = 44 decillion combinations.
That's a factor of about 1 billion difference. Not nothing. But going from 16 to 20 characters using only lowercase gives you 26^20 = 19 octillion combinations, which already exceeds the all-ASCII 16-character password.
Translation: adding 4 characters of length is more effective than adding uppercase, numbers, and symbols to a shorter password.
Okay, so you need long passwords. But how do you remember a 20-character random string? You don't. You use passphrases instead.
A passphrase is a password made of multiple words instead of random characters. The concept was popularized by security researchers who recognized that humans are terrible at remembering random characters but excellent at remembering word sequences.
Here's the recipe:
Examples of strong passphrases:
I need to stress the word random here. These need to be randomly selected words, not words that relate to each other or to you.
Bad passphrases (predictable patterns):
Attackers have compiled dictionaries of common phrases, song lyrics, movie quotes, and book passages. If your passphrase is a meaningful sentence, it's in their dictionary.
Good passphrases are weird. They're memorable BECAUSE they're weird. "telescope margin invoice walrus" is easy to remember because you can picture a walrus doing taxes with a telescope. But no attacker would predict that combination.
The gold standard for passphrase generation is the Diceware method — rolling physical dice to select words from a numbered list, ensuring true randomness. Each word adds about 12.9 bits of entropy, so a 5-word passphrase hits ~64 bits and a 6-word hits ~77 bits. More than enough for most purposes.
But who owns dice anymore? This is where password generation tools come in.
Here's an uncomfortable truth: you're bad at being random. Humans have well-documented biases in how we generate "random" data. We favor certain numbers, avoid repeating characters, create patterns without realizing it, and gravitate toward familiar letter combinations.
When researchers studied human-generated "random" passwords, they found that people consistently produced passwords with 20-40% less entropy than a truly random string of the same length. Your "random" password isn't as random as you think.
This is why password generators exist. They use cryptographically secure random number generators — the same kind used to generate encryption keys — to produce passwords with maximum entropy for their length.
When you use a random password generator, look for these features:
Client-side generation — The password should be generated in your browser, on your device. It should never be sent to a server. If a password generator requires an internet connection, be suspicious.
Configurable length — You should be able to set the length to whatever you want. Minimum 16 characters, but ideally up to 64 or 128.
Character set options — Choose which character types to include (uppercase, lowercase, numbers, symbols). Some sites restrict certain characters, so you need flexibility.
Passphrase mode — The option to generate word-based passphrases in addition to random character strings.
No storage — The generator shouldn't save, log, or transmit the passwords it creates.
Entropy display — A good generator tells you how many bits of entropy your password has, so you can make informed decisions.
I maintain a password generator that checks all these boxes — it runs entirely in your browser, never transmits anything, and lets you customize length, character sets, and generation method. I built it because I got frustrated with online generators that send your password through their server or force you to create an account first.
You know those colored password strength meters on websites? The ones that show red for "weak" and green for "strong"? Most of them are almost useless.
I've tested dozens of these meters. "P@ssw0rd!" shows as "Strong" on roughly 40% of websites. "aaaaaaaaaaaaaaaa" (16 lowercase a's) shows as "Strong" on about 25%. Meanwhile, "correct horse battery staple" — an actually decent passphrase — shows as "Weak" on many sites because it "lacks numbers and symbols."
These meters check for character diversity and length, but they don't check against breach databases or common patterns. A proper strength checker should estimate actual crack time against modern hardware, check against known breaches, and identify common patterns and keyboard walks.
I built a password strength checker that estimates crack time based on actual attack methods, not just character counting. It's one thing to know your password has 12 characters; it's another to know it would fall in 3 seconds to a dictionary attack.
Here's a scenario that plays out millions of times daily. Someone creates what they think is a strong password. They use it on multiple accounts. One of those services gets breached. Now their "strong" password is in a public database, and it doesn't matter how many characters it had — it's known.
You need to check whether your credentials have been leaked. Not once. Regularly.
Think about it this way. A 32-character random password is virtually uncrackable through brute force. But if the service that stores it gets hacked and the database is leaked in plaintext (which still happens more often than you'd think), your 32-character masterpiece is now sitting in a text file on a hacking forum. Its strength is irrelevant. It's known.
Breach checking tells you whether this has happened. It scans databases of known breached credentials — we're talking databases with over a thousand documented breaches and billions of exposed records — and tells you if your email or password appears in any of them.
There are several reputable breach-checking services. You can try our digital safety score tool which checks your email against a comprehensive breach database with over 1,000 documented breaches and tells you exactly which ones you appear in.
The key information you'll get:
If your email shows up in a breach:
Don't panic. Being in a breach database doesn't mean someone has accessed your accounts. It means the data is out there.
Change the password on the breached service immediately. Use a newly generated password, 16+ characters.
Check every other account where you used the same password. Yes, every one. Change all of them. Yes, all of them. This is the painful part, and it's why unique passwords matter.
Enable two-factor authentication on the breached service and any other service that supports it.
Watch for phishing attempts. After breaches, attackers often send targeted phishing emails using the leaked information to seem legitimate.
Set up breach monitoring. Many services can alert you automatically when your email appears in a new breach.
At this point, you might be thinking: "You want me to use a unique 16+ character password for every single account? I have 137 accounts. That's literally impossible to remember."
You're right. It is impossible to remember. That's why password managers exist.
A password manager is a secure vault that stores all your passwords, encrypted with a single master password. You remember one password, and the manager remembers the other 136.
Here's how the workflow changes:
Before password manager: Go to website. Try to remember which variant you used. Try three guesses. Click "Forgot Password." Create a new one. Use the same password you use everywhere else.
After password manager: Go to website. Auto-fill. Done.
Cloud-based managers (1Password, Bitwarden, Dashlane): Sync across all devices, browser extensions for auto-fill, $3-5/month for premium. Your encrypted vault is stored on their servers.
Local-only managers (KeePass): Your vault stays on your device. You control the sync. Free, open source, more technical to set up.
Browser built-in managers (Chrome, Firefox, Safari): Already installed, zero friction. Sync across devices in the same browser ecosystem. Less feature-rich but perfectly functional.
Honestly? Any of them. The best password manager is the one you'll actually use. Using Chrome's built-in password manager is infinitely better than using "password123" everywhere.
That said, if you're choosing from scratch:
Your password manager is only as secure as its master password. This is the one password you actually need to memorize, and it needs to be excellent.
My recommendation: use a 5-6 word passphrase as your master password. Something like "quantum!plaza!orchid!7!helmet" — long, random, memorable, and virtually uncrackable.
Write this passphrase down on paper and store it somewhere physically secure (safe, lockbox, etc.). Not digitally — on paper. If you lose access to your password manager and can't remember the master password, you lose access to everything.
A strong password is your front door lock. Two-factor authentication (2FA) is the deadbolt. You need both.
Even if someone steals your password — through a breach, phishing, or keylogger — they can't access your account without the second factor. It's the difference between "I know your password" and "I know your password AND I have your phone."
Hardware security keys (Best):
Authenticator apps (Great):
Push notifications (Good):
SMS codes (Better than nothing):
Email codes (Bare minimum):
If you can only enable 2FA on five accounts, make it these:
Here's where I'm going to disagree with what your IT department probably tells you.
For decades, security policies demanded password changes every 60-90 days. This sounds logical. Fresh passwords mean less exposure time if one is compromised, right?
Research — including guidance from NIST (the U.S. National Institute of Standards and Technology) — now shows that forced password rotation does more harm than good. Here's why:
People use predictable patterns. When forced to change passwords quarterly, people do "Password1" in Q1, "Password2" in Q2, "Password3" in Q3. Attackers know this.
Complexity suffers. When people know they'll have to remember a new password in 90 days, they choose simpler ones. The math is clear: a strong permanent password beats a series of weak rotating ones.
People write passwords down insecurely. Sticky notes on monitors, text files on desktops, emails to themselves. Forced rotation drives insecure storage.
It creates password fatigue. People stop caring about password quality when they're changing passwords constantly.
Change your password when:
Otherwise? A strong, unique, unbreached password can serve you indefinitely.
Security questions are password security's dirty secret. You might have an ironclad 24-character password, but if your security question is "What city were you born in?" and that information is on your Facebook profile, an attacker can bypass your password entirely.
Most security questions ask for information that's either:
Seriously. Treat security questions as additional passwords.
"What city were you born in?" → "turquoise elephant symphony" "What's your mother's maiden name?" → "correct horse battery" "What was your first car?" → "73!quantum!nebula"
Store these fake answers in your password manager alongside the account password. The security question doesn't verify truth — it verifies that you can reproduce the same answer.
If the security question answer field allows long text, paste in a randomly generated string. "What's your favorite movie?" → "xK9#mP2$vL5@nQ8" — store this in your password manager, and now your security question is just as strong as your password.
Fingerprints, face scans, iris recognition — biometrics are convenient. They're also widely misunderstood.
Your fingerprint can be lifted from a glass. Your face can be photographed. Unlike passwords, biometrics can't be changed — you can't get new fingers if your fingerprint hash is compromised. And in many jurisdictions, courts can compel you to unlock a device with your fingerprint but not with a password.
Use biometrics as a convenience layer on top of passwords, not as a replacement. Your phone unlocks with your face? Great — but the actual encryption key behind it should be your passcode.
Passkeys are the newest development in authentication, and they're genuinely exciting. They might eventually make passwords obsolete — but we're not there yet.
Instead of a password, your device generates a cryptographic key pair. The private key stays on your device (protected by biometrics or a PIN). The public key goes to the website. When you log in, your device proves it has the private key without ever sending it. There's nothing to steal, nothing to phish, nothing to crack. They're built into Apple, Google, and Microsoft devices natively.
Despite passkeys being phishing-proof and breach-proof, you'll still need passwords for a while. Only about 20% of major websites support passkeys in 2026. Cross-platform support between Apple and Google ecosystems isn't seamless. And your password manager still needs a master password.
My advice: enable passkeys wherever available, but keep your password game strong. We're in a transition period.
I've mentioned this several times, but it deserves its own section because it's that important.
Every account must have a unique password. No exceptions.
Here's the attack chain:
This isn't theoretical. Credential stuffing attacks account for the majority of unauthorized access incidents. It's not sophisticated hacking. It's just trying the same key in every door.
You're not supposed to. That's the password manager's job. Once you make the switch, the process is:
The transition takes an afternoon. Every time you log into a service, let the password manager save the credentials. Or spend a Saturday going through your accounts and updating them all at once. It's a one-time investment that protects you for life.
Enough theory. Here's exactly what to do, right now, today.
Check if your current credentials have been exposed. Use a digital safety score tool that checks your email against known breach databases. This tells you which accounts need immediate attention.
Pick one. Any one. Bitwarden is free and excellent. Your browser's built-in manager works too. Just pick something.
Start with the big five:
Use a password generator to create unique 20+ character passwords for each. Copy them into your password manager.
On every account that supports it, in this order:
Use an authenticator app, not SMS if possible.
You don't have to change all 137 passwords today. But every time you log into a service, take 30 seconds to update the password to a generated one and save it in your manager. Within a month, you'll have cycled through most of your regularly used accounts.
Use a breach monitoring service that alerts you when your email appears in new breaches. This way you'll know immediately when a service you use gets compromised, instead of finding out months later.
Set a calendar reminder every three months:
Use your password manager's sharing feature. Never send passwords via text message, email, or chat — these are stored in plaintext and potentially interceptable. Password managers have built-in secure sharing that revokes access when you want.
Keep these absolutely separate. Different passwords, ideally different email addresses. If your employer's systems are breached, your personal accounts shouldn't be affected, and vice versa.
Before traveling internationally:
Set up a family password manager early. Teach kids about password security before they develop bad habits. Create their accounts with generated passwords from day one.
Someone you trust needs to be able to access your accounts if something happens to you. Most password managers support emergency access — a designated contact who can request access after a waiting period. Set this up.
Automated attacks don't target you specifically. They target everyone. Bots don't care if you're a CEO or a retired schoolteacher. They try stolen credentials against every account they can find.
"Password1" is in literally every cracking dictionary. So is "Password2" through "Password9999." Appending numbers is the most predictable mutation humans make.
A compromised throwaway account can be the entry point for social engineering, phishing attacks, or credential stuffing against your important accounts. Every account matters.
"@#$%^&*!" is 9 characters. It would be cracked in seconds. Special characters increase the character set, but they don't compensate for short length.
Only if you're changing to a strong, unique password each time. Cycling through predictable variations is worse than keeping one strong password.
A piece of paper in a locked safe is more secure than a weak password you can remember. The threat model for most people is remote attackers, not someone physically breaking into their home. Paper has its place — just not the sticky note on your monitor.
Print this out. Put it on your wall. Share it with your family.
If you read this entire post and do nothing, it's worthless. So here's the absolute minimum you should do right now — it takes five minutes:
Minute 1: Go to a password generator and generate a 20-character password. Copy it. See how it feels.
Minute 2: Check your email on a breach checker. See which breaches you appear in. Let that motivate you.
Minutes 3-4: Change the password on your primary email account to a newly generated one. Write it down temporarily on paper.
Minute 5: Download a password manager. Any one. Save your new email password in it.
You've just made yourself more secure than roughly 80% of internet users. Everything else in this guide can happen over the coming days and weeks. But those five minutes? They need to happen today.
Password security isn't exciting. Nobody's going to congratulate you for having a 24-character randomly generated password on your streaming account. But security is like insurance — nobody thinks about it until they need it, and by then it's too late.
The technology landscape in 2026 offers us incredible tools. Random password generators that create truly uncrackable credentials in milliseconds. Password managers that remove the burden of memorization entirely. Breach databases that tell us exactly which of our accounts have been compromised. Two-factor authentication that stops attackers even when they have our password. Passkeys that are beginning to make passwords obsolete entirely.
The tools exist. The knowledge exists. The only missing piece is action.
Go generate a strong password. Right now. Your future self will thank you.
I build and maintain a collection of 460+ free browser-based tools — including a password generator, a password strength checker, and a digital safety score breach checker — at akousa.net. Everything runs locally in your browser. No accounts, no uploads, no tracking.
Akousa