Strong Password Examples and How to Create Them

How to make a secure password

The best way to create a strong password is to use passphrases, which are long phrases made up of 5-7 random words. You can also use a trusted password manager to suggest randomized, 15-character strings of capital letters, numbers, and special characters to protect your password against cracking and other hacking attempts.

We’ve identified three best practices to give you stronger password ideas:

Avoid simple passwords

Don’t use obvious or typical password ideas. Here’s a short list of password types to avoid:

• A sequential list of numbers or letters, like “abcde” or “12345.”

• A password that contains all or part of your username.

• Any personal info, such as your birthday or the town you grew up in.

• A string of repeated characters, like “aaaaa” or “0000.”

• The word “password.” Believe it or not, yes, people still do this.

Leave personal info out of your password. Thanks to social media, hackers can easily collect basic info that you’ve shared (or overshared) online, and they’ll use everything they can find in their cracking attempts.

Make it brute force-proof

Brute force attacks run through one combination of characters after another until finally generating the one you selected as your password. Here’s how to counter this technique:

• 15 to 20 characters or more: According to updated guidelines published by the National Institute of Standards and Technology (NIST), length is your best defense. Each additional character in your password massively increases its potential combinations, resulting in higher password entropy and prolonging the amount of time needed to brute force your password.

• Use multiple character types: Especially when using a password manager, it’s best to generate randomized passwords that use uppercase and lowercase letters as well as symbols and numbers. When you include all character types strategically (i.e. randomly), you maximize the amount of possibilities per character, which makes your password harder to crack. Don’t forget to use at least 15 characters for the best defense.

• Avoid common character substitutions: Hackers program their cracking software to account for typical character swaps, or “leetspeak” (l337 $p34k), like “0” instead of “O” — “p4$$w0rd” is as easy to crack as “password.”

• Go beyond QWERTY: Avoid using memorable keyboard paths like “qwerty” or “asdf”. These are no harder to crack than regular words.

Use passphrases

Chain multiple words together to create extra-long passphrases that are highly resistant to dictionary attacks and standard brute force attempts. You can link the words with hyphens, periods, or underscores.

An example of an unsecure password vs a secure passphrase.

The words in your passphrase should have no obvious connection to each other as password cracking software may guess related words. For example, the passwords “this-is-my-password” and “pride-and-prejudice-and-zombies” are not as secure as random words strung together. Connect random words, such as “banana-glasses-mason-notepad”, to stump hackers.

The best password methods (and good password ideas)

Password methods that are hard to crack include obscure passphrases, mnemonics, and the sentence method. Use them to stump hackers, whether you’re updating your login credentials online or password-protecting files and folders on your PC.

Here are some of our favorite ways to create strong passwords:

The obscure passphrase method

This technique takes the passphrase approach and elevates it a few security notches. Outsmart hackers by choosing uncommon, random words in your passphrase, such as proper nouns, historical figures, archaic words, or even words in multiple languages.

Help yourself remember your new passphrase by building a memorable story out of the words you choose.

Examples

Consider the following passphrase: SunTzu-cheesesteak-transistor-Christmas-obrigado. Perhaps the great military strategist Sun Tzu had such a penchant for cheesesteak sandwiches, he received a transistor-powered cheesesteak maker for Christmas, for which he expressed his thanks in Portuguese.

To make your password even stronger, add symbols and characters between the words or in place of some letters. For example: SunTzu>chee$esteak-transistor?Christmas-0brigado.

Leetspeak in a passphrase can be fine, since passphrases are generally very long and use random words.

The sentence method

Created by cybersecurity expert Bruce Schneier, the sentence method transforms a sentence into a password using a given rule that you create. For example, you might pull the first two letters from each word in your sentence, then string them together for your password.

Examples

“Nebraska is hands-down my favorite Bruce Springsteen album” then becomes Neisha-domyfaBrSpal. Note how we’ve picked a sentence that includes punctuation as well as multiple uppercase letters, just for a little added safety.

Similarly, “May is the fifth month of the year” could become MaISth5mo0FthY and “Friday is for partying all night long!” could become Fris4parAlNitLO!

The muscle memory method

Muscle memory is when you reinforce neural pathways through repetition of movements. To put it simply, it’s about typing your password so many times that your muscles remember what to do without thinking.

Avast’s Random Password Generator can help you create a random password until you get one that you feel comfortable with, then practice typing it until it becomes routine. Next time you log in, the keystrokes will come easily. Just be sure that you avoid using a password that’s too easy to remember — if it’s easy for you to recall, chances are, it’s easy for others to guess too.

If you use multiple devices to access your online accounts, it’s a good idea to practice your password on each one, as your movements may differ on a phone or tablet versus a computer.

Ideally, practice only in an actual login field to avoid saving a copy of your password accidentally.

Examples

If you’re using the muscle memory method, it’s important to strike a balance between the password being complex and one that you'll actually be able to remember. Using a random password generator means that examples will all be extremely varied, such as !YRo]0caPRgW, Qk7b9jxbHn1ZV8f, and p;0c0K)Tw2JP.

The mnemonic method

The mnemonic method consists of assigning a word to each character in a password to help remember it. For example, the colors of the rainbow (red, orange, yellow, green, blue, indigo, violet) are often remembered as “Roy G. Biv.”

To create a mnemonic, split the password into letters or chunks of 2 to 4 character pieces. Translate each chunk into a sound, image, or word. Add rhythm, alliteration, or rhyme to glue it together.

You can use case, numbers, and symbols as memory prompts, such as:

• Capital letters can be used to denote a proper noun or shouted word.

• Numbers can be used in place of letters or for rhymes and pegs, such as 2=shoe or 4=door.

• Symbols can be used as word placeholders, such as @ for “at”, ! for “bang”, or ( for “open."

Examples

The strong password uJkn@a4tpf>otfl0! could be remembered as “Uncle Jay knocked at a door, then promptly fell right on the floor. Ow!” Or 4#sh;mq!aV@l could be “Four bangs heard; my queen! A victory at last!”

The ISO code method

This method involves using the ISO code from various countries and mixing them together into one long string. An ISO code is an international code that represents a country and its subdivisions. For example, the ISO code for America is USA, while the United Kingdom goes by GBR.

Try using the codes from the last five countries that you visited to make your memorable password. If you like this method, you can continually update your password based on new places you or loved ones visit, either by adding ISO codes or by replacing the oldest country with the newest.

Alternatively, you can use countries that are on your bucket list, you have an interest in, or are chosen completely at random.

Tip: Random countries are a good idea if you share frequent travel updates on social media, as a hacker could easily work out your recent destinations.

Examples

The last five countries I visited, for example, were Spain, China, Australia, Canada, and Egypt. Using the ISO codes from these nations, my password could be: ESPCHNAUSCANEGY. To make it more secure, I could use both upper and lower cases and symbols or number replacements, such as E5PCHnAuSC^N3&Y.

If I then travel to Norway, I might replace the country I visited the longest ago and update to: NORCHnAuSC^N3&Y.

The math method

The math method uses equations to create a strong password. This doesn’t mean throwing in random numbers and symbols, but making the password itself follow a logical outcome.

You can also use abstract equations — math-adjacent logic or cause-and-effect you know to be true — to make a unique, memorable password, especially if it ties to your interests or life.

In other words, the password should read like an equation, with inputs, an operator, and a result:

• Inputs: the numbers, objects, or concepts you combine.

• Operator: the action between them (such as +, -, x, /, or the word forms).

• Result: the outcome.

Examples

A simple math method password could look like 539+98=sixhundred&thirtyseven.

Alternatively, you may wish to get more creative by having something like soccerteam+redcard=10. This works because there are 11 players on a soccer team, but if one is sent off with a red card, there will only be 10 left.

How to keep passwords private

The best and easiest way to keep your passwords private and protect your data is to use a complex password unique to each account, and keep track of them with a password manager.

Here are additional ways to protect your passwords:

Lock down your email

Your first step is to make sure that your email hasn’t been breached. If someone can get into your inbox, they may be able to reset your existing passwords by clicking “Forgotten password?” All they need to do is wait for the reset link to arrive in your inbox.

Use Avast Hack Check to see if any passwords associated with your email address have been leaked. If they have, change those and the password to your email account immediately.

Source: Gen Threat Report, Q3 2025

Data breaches happen all the time, often with stolen data put up for sale to other cybercriminals on the black market. Avast Hack Check checks public data breaches and monitors the dark web for your email address. However, it only provides a snapshot at the moment you run it. For ongoing data breach monitoring and extra security tips to help keep your data safer, use a tool like Avast BreachGuard.

Be careful who you trust

It’s become standard practice for websites to encrypt their users’ passwords, so that even if hackers manage to breach their databases, they’ll still need to decrypt the stolen information in order to use it. Any website still storing passwords as plain text has no business operating on today’s internet.

Warning signs for websites with weak password security include the password appearing on your screen after you confirm it or the “forgot password” option sending you a copy of your password rather than a reset link. If you suspect your password is not secure, delete your account on the offending website and change all your passwords.

You also shouldn’t input any login credentials or sensitive personal information into a website that’s using HTTP instead of HTTPS. HTTPS is the most secure and up to date data in transit encryption protocol.

Use two-factor authentication

Now standard as a security practice, two-factor authentication (2FA) adds layers of protection to your login by requiring more than just your password. Common authentication measures include codes sent via SMS, a mobile authentication app, a fingerprint or face scan, or a physical token.

Should a hacker obtain your password, they’ll still need to overcome at least one more obstacle before gaining entry. In fact, according to Microsoft, enabling multi-factor authentication (like 2FA) on an online account blocks 99.9% of account compromise attacks.

Note that SMS-based 2FA is typically the least secure option, because text messages can be spoofed or intercepted. The FBI has made warnings about text-based 2FA after hacking group Scattered Spider bypassed login security by adding new 2FA devices to user accounts. Instead, opt for an authentication app.

FIDO-certified security keys

Physical security keys are among the most secure MFA methods. They’re available in USB, NFC and Bluetooth versions, granting access only to the bearer of the key. In this way, they’re much more secure than SMS verification, so long as you don’t lose your key.

Passkeys are a related, passwordless sign-in method that uses your phone or laptop as the authenticator.

The FIDO Alliance is the industry group that defines and certifies the open standards behind both security keys and passkeys. Use services that support FIDO passkeys, such as Google, PayPal, and Amazon, for high-degree authentication and protection.

Follow password security best practices

• Use a VPN on an unsecured Wi-Fi network: Using a VPN when accessing free public Wi-Fi, for example at an airport or cafe, adds an extra layer of protection against rogue networks and snoops, helping to prevent eavesdroppers from intercepting your login credentials.

• Don’t share your password in plain text: Never email or text anyone your password because they can be easily intercepted and leave permanent records attackers can mine later.

• Choose hard-to-guess security questions: There’s a lot of information about you on the internet. If you’re asked to create security-verification questions, don’t pick the options that could easily be answered with a quick search of your social media accounts or other public information.

• Use a strong antivirus program: If the worst happens, and a hacker obtains your password, a great antivirus software can help keep you protected against malware and other threats, like scams.

• Use a password manager: Storing your passwords safely with a trustworthy password manager makes it easier to use unique and complex combinations of characters.

• Use a secure browser: Download a trusted privacy browser for an extra layer of protection when surfing the web. Privacy browsers help block trackers and risky ads or websites.

Regularly changing passwords used to be commonplace, but is no longer recommended. NIST now advises account providers only to force a password change when there is evidence the authenticator has been compromised. While the NIST documentation is targeted at organizations working with government information systems, it is widely used as an industry standard.

Alternatives to strong passwords

Instead of using traditional passwords to access your accounts, some organizations or site administrators use alternatives such as Single Sign-On and passwordless authentication.

Single sign-on (SSO)

SSO is a technology that allows an identity provider (IdP) to verify you once and issue login tokens to other approved apps. In many businesses, Microsoft Entra ID is the IdP and lets users seamlessly sign into Teams, SharePoint, and third-party apps such as Salesforce without asking you to re-enter credentials. SSO doesn’t remove the need for great passwords, but can help indirectly protect a good password because you won’t have to remember it every time you sign in.

Passwordless authentication

This refers to any method that lets you access your accounts without inputting a password, typically something you are or have. Something you “are” refers to biometric authentication, such as Face ID on iPhones or Touch ID on MacBooks. Something you “have” refers to authentication apps, smart cards, or device-based smart keys.

How does a password get hacked?

A cybercriminal can obtain your password by using specialized cracking software, sending phishing messages, or scouring your social media posts for clues. But often, they’ll simply buy your passwords on the dark web.

Password hacking is a lucrative business, and if you’ve been using the same password for years and on multiple sites, it’s likely to have already been compromised. Hackers will steal user credentials as part of a data breach, compile all the info into a massive list, then sell it to other cybercriminals to use in their own schemes.

Here are the main password cracking methods used by cybercriminals:

Brute force attack

A brute force attack is when hackers try one password after another until they finally land on yours. They often use powerful software to automate the task. Brute-force programs are laser-focused on spitting out as many combinations as they can to discover your password as quickly as possible.

In 2025, SC Media reported on a brute force attack that used nearly 2.8 million IP addresses daily to guess VPN credentials of corporate networks such as SonicWall and Palo Alto Networks.

Back in 2012, security expert Jeremi Gosney demonstrated a bespoke computer called a 25-GPU cluster that was able to generate 350 billion password guesses per second. It took the software six hours or less to crack any 8-character Windows password comprising uppercase and lowercase letters, numbers, and symbols. With it, he was able to obtain the passwords of over 90% of LinkedIn’s user base at the time.

Since then, there’s been a significant push toward longer passwords. Each additional character multiplies the total number of possibilities exponentially (again: higher password entropy), making brute force attacks more difficult to achieve. In fact, truly randomized passwords of 15 or more characters may take hundreds or thousands of years to crack.

Dictionary attack

Dictionary attacks are a type of super-optimized brute force attack. Rather than hitting you with random strings of characters, the attacker generates passwords made from a predefined set of words. If your password is a single word, you’ll quickly fall victim to a dictionary attack.

If you like using standard words for your passwords, string a few together into a passphrase. Using this technique allows you to create strong password examples that can stump many dictionary attacks. The words in your passphrase must be completely random, or else password cracking software may be able to guess what they are.

Your passphrase should include random, unrelated words, or password cracking software can quickly guess it.

AI password guessers

Dark AI tools have proliferated in recent years as the technology has entered public life at a rapid rate. One dangerous application of AI that hackers have made use of is password crackers.

These AI password crackers run through thousands of potential password combinations at lightning speed in order to hack into a specific account.

In 2023, researchers provided an AI password guesser with 15.6 million password examples and found it was able to crack 51% of passwords in less than a minute as a result. However, they also found that an 18-character password with numbers, letters (upper and lower case), and symbols is almost unbreakable.

Phishing

Often conducted over email, phishing attacks are communications disguised as though they’re coming from a trusted source, such as a financial institution, well-known website, or even a senior member of the organization where you work. You might be asked to enter your login details on a pharming site that closely resembles the real one — a new phishing tactic referred to as a VibeScam because the fake site “passes the vibe check” — handing over your password to the cybercriminals.

These attacks use social engineering techniques that manipulate you into acting without thinking. Unfortunately many phishing victims have no idea that something’s gone wrong until it’s too late.

And email isn’t the only phishing vector. Phone calls (and phone spoofing) are still popular, as are text messages and social networks. Many robocalls, especially those regarding credit cards or financial accounts, are actually the first strike in a phishing scam.

Credential stuffing attack

A credential stuffing attack is when a hacker uses your login credentials from one account to gain entry to your other accounts. While brute-force attacks rely on password trial and error, credential stuffing reuses a known password across multiple accounts.

Credential stuffing attacks are a highly effective hacking technique against victims who reuse the same login details for multiple accounts. This is why it is important to have unique passwords for every account. If a hacker gets access to one account, they may essentially have access to all.

The credential stuffers may have got one of your account passwords from a dark web marketplace, through a previous phishing scam, or with malware like a keylogger, which records what you type.

Protect your accounts with Avast BreachGuard

Strong passwords can’t help if a site leaks your data, but they can be the difference between an account getting hacked or not. Cybercriminals trade logins on the dark web, but Avast BreachGuard continually monitors the web to detect your data and alerts you when your account logins appear, allowing you to take quick action to protect the rest of your online accounts.

Download BreachGuard to see your unique privacy score with practical tips to improve it, automatically request data brokers to remove your data, and get expert advice if your details are exposed.