4 tips to create a strong password and keep your accounts secure in 2025

It’s no secret that strong passwords are essential for securing the dozens (or more) of online accounts you use each day, from email to dating apps. However, many people struggle with creating strong, unique passwords for all their accounts; it can seem simpler to use shorter passwords or reuse the same one across multiple platforms.

But from a digital security standpoint, weak or identical passwords are dangerous. To help you strengthen your cyber-defenses, this guide offers four tips to create strong passwords and how to remember and store them once you do. You’ll also learn how hackers try to steal passwords—and how to outsmart them.

Why strong passwords matter

Before we dig into the details, it’s important to understand why strong passwords are so important. The clearest reason is this: passwords are one of the first lines of defense for your online accounts and your digital identity. If you want to keep prying eyes, hackers, and bad actors at bay, you want that line of defense to be as strong as possible.

If you use passwords that are too short, simple, or easy to guess, cybercriminals can easily gain access to your accounts. They could log into your online banking, view your emails, and even steal your identity altogether. The risks are vast, and the consequences can be devastating.

The risks of weak passwords

Weak passwords make it much simpler for unauthorized users to log into your accounts, which could lead to:

• Financial losses: If a bad actor gets access to your online banking or payment platform passwords, they can use them to steal your money.
• Identity theft: If you use the same weak passwords across multiple platforms, like social media, someone could take control of all these accounts and use them to effectively steal your identity.
• Invasion of privacy: You might have a lot of personal information or content, such as images, messages, and videos, stored on certain accounts. If they’re not protected by strong passwords, strangers could gain access. 
• Emotional distress: Hacked accounts and cracked passwords cause intense emotional stress—victims often worry about what will happen next and how to regain control of their profiles.
• Impact on your friends and family: If someone gains access to your social media or email account, they can impersonate you and trick the people closest to you, for example, asking them for money.
• Reputational damage: Losing control of your accounts can affect your reputation and credibility. People may be less likely to trust you with sensitive information or important responsibilities.

How hackers steal passwords

• Phishing attacks: Phishing scams trick users into giving up their personal data, including usernames and passwords, to a hacker. This is usually done via scam emails and links that lead to fake login pages mimicking trusted websites, like Amazon. The user enters their data and inadvertently delivers it to the hackers.
• Brute force attacks: These involve special software that is designed to test a huge number of possible passwords in a short amount of time. They can crack an eight-character password in just two hours—showing why longer, more complex passwords matter.
• Dictionary attacks: Similar to brute force attacks, dictionary attacks involve trying many possible passwords—but instead of using random character combinations, they focus on common words and phrases, like those found in a dictionary.
• Credential stuffing: This method involves hackers using stolen or leaked username and password data, often from the dark web. They look at the passwords that people have used on certain platforms and then test them on other sites and services, because many people reuse passwords across different accounts.
• Keylogging: This is a more advanced method, involving the use of a specific type of malware, called a keylogger, which records every key a user presses. Hackers can then use the data to figure out passwords.
• Guessing: One simple technique hackers use is guessing passwords based on personal information they’ve found about someone. This can work if the password includes easy-to-find details, like birthdays, pet names, or anniversaries.

4 tips to create a strong password

We’ve seen why strong passwords matter. Now, here’s how to create one. 

1. Use a mix of letters, numbers, and symbols

The first tip is to mix it up. There’s no need to use actual words or phrases (unless you want to create a secure passphrase); nor do you need to limit yourself to the letters of the alphabet. Instead, mix in numbers and symbols to make your passwords harder to crack. Be sure to include both uppercase and lowercase letters.

The more complex your password, the harder it’ll be to crack. A random password generator can help you create complex passwords in an instant. Tools like ExpressVPN Keys include built-in generators that make it easy to create strong, unique passwords with just a few clicks.

2. Make passwords at least 12+ characters long

The longer your password, the stronger it is—ideally, it should be at least 12 characters. Longer passwords give brute force tools more to work through, making them much harder to crack.

Even if a website has a minimum character limit of just six or eight characters, you should use more than that. Some experts even recommend using 16 characters or more.

3. Don’t use common words and phrases

Earlier on, we mentioned how hackers can use dictionary attacks to figure out passwords. These attacks involve testing lots of common words from the dictionary in the hopes that one will eventually work. But if you avoid using common words or phrases entirely, you’ll make it much harder for this type of attack to succeed.

Here’s what to avoid:

• Simple numerical patterns, like “1234”
• Common single words, like “password”
• Typical keyboard patterns, like “qwerty”
• Names of friends, family, or pets
• Nicknames
• Dates, like birthdays and anniversaries
• Words in reverse
• Important places from your life, like schools and cities
• Common symbol substitutions, like using “@” instead of “a”

4. Create passphrases for easy memorization

Passphrases are a slight variation on passwords. Instead of just being a jumble of random letters and symbols, passphrases are made up of a series of words. These words should be random and unrelated, and various numbers and special characters can be mixed in rather than simply using regular letters (for example, “Ocean*Tiger@Lemon#Skateboard!”).

The advantage with passphrases is that you can memorize the words or even base them on things you enjoy, like song lyrics or movie quotes. Just avoid using any information that someone could guess if they know you personally or check your social media.

How to remember strong passwords

The hardest part about strong, unique passwords? Remembering them. Luckily, there are tools that can help.

Use a password manager to store your passwords

One of the issues with having complicated, long, and unique passwords for your many accounts is they’re hard to remember and even harder to type out each time. That’s where password managers like ExpressVPN Keys come in. 

With Keys, you can store as many passwords, secure notes, and credit card details as you need—so you don’t have to remember anything. It also offers features like autofill, so you can log into websites and apps more easily.

Should you write down passwords?

There are mixed views about the idea of physically writing down your passwords in a notebook or journal. On the one hand, it’s a functional way to keep a record of your passwords, and if you store it somewhere very safe, then cybercriminals won’t have any way of getting to it.

On the other hand, it depends on where you store your notes. Someone could break into your home and stumble upon your notebook, instantly gaining access to all your data. Plus, you have to physically check and update your notebook regularly, which isn’t exactly convenient.

Overall, using a password manager is a far better option.

Using mnemonic techniques

Mnemonics are memory tricks people use to remember specific things, like the colors of the rainbow or the planets of the solar system. You can also use mnemonics to remember passwords made of random words or phrases. If your password is more of a jumble, a quick story or rhyme can help you recall it

This can work for helping you remember your most important passwords. But with the average person nowadays having over 100 accounts, you likely won’t remember them all.

How to test your password strength

Once you’ve created a password, you can test its strength using a password-checking tool. These tools estimate how resistant your password is to various types of attacks by analyzing its length, character variety (uppercase, lowercase, numbers, symbols), and predictability.

Some advanced strength meters, like the one included with ExpressVPN’s password manager, use heuristic analysis and zxcvbn, an open-source password strength estimator that evaluates passwords against a large database of leaked credentials and shared behavior patterns. 

ExpressVPN Keys also uses the Have I Been Pwned database to check whether your password has been found in any known data breaches. If it flags that your password has appeared in past breaches, you should avoid using it and immediately change your credentials. 

How to keep your passwords safe

Enable two-factor authentication (2FA)

Two-factor authentication (2FA) is a key security feature available on many websites and platforms, from online banks to email. With 2FA, you enter your password and then verify your identity another way—like a code sent by SMS or email or a biometric login. This means that even if someone guessed your password, they still wouldn’t be able to access your account without that second layer of protection.

Avoid using the same password on multiple sites

Reusing the same password across multiple accounts is a major risk. If a hacker cracks just one, they can use it to access every other account that shares that password—giving them a wide window into your digital life.

Even if you catch the breach quickly, you’d still have to change your password on every affected account to lock them out. But if each account has a unique password, one breach won’t affect the rest. The damage is limited, and fixing the issue is far less stressful.

Change compromised passwords immediately

If you suspect that a password has been hacked, leaked, or exposed in any way, act fast. Change it right away to contain the damage and keep your accounts secure. Password managers like Keys can alert you if a password you’ve saved is exposed in a data breach, so you know when to update it.