6 Tips for Creating Super-Strong Passwords

Still using ABC123 or password35? No more! Here’s how to protect your accounts from cybercriminals

Marc Saltzman,

Updated January 16, 2026

AARP

Comments

En español

Published January 03, 2023

/ Updated January 16, 2026

a series of images showing passwords that are weak, moderate and strong

Animation: AARP

Cybercrimes have skyrocketed in recent years: The FBI’s Internet Crime Complaint Center announced $16 billion stolen through online crimes in 2024. And those are just reported losses; scams and fraud are notoriously underreported, so the number is likely far higher.

Unfortunately, many of us inadvertently assist these criminals by using easily crackable passwords. We’ll reuse the same passwords over and over, or choose obvious terms like a pet’s or a child’s name (or, worse, something like 1234abcd), instead of taking recommended safety measures, such as using passwords at least 12 characters long and a complex combination of letters, numbers and symbols.

One key solution is to use a password manager app, which generates random, complicated passwords to log in to online accounts. Browsers such as Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox have built-in password managers and will prompt you to let them generate complex passwords for you. Most commercial password manager apps, such as subscription-based 1Password, Bitwarden, Dashlane, Keeper Security and LastPass, have the same feature.

Otherwise, follow these rules to create unique, secure passwords to store your information safely.

1. Be unpredictable in your keystrokes

Choose random words instead of those in a well-worn dictionary. Cybercriminals often run programs that cross reference dictionaries to crack passwords. If you would play the word in a game of Scrabble, don’t use it as a password.

Avoid personal details, too. Steer clear of birthday or anniversary dates to unlock your smartphone or gain access to sites. Cybercriminals get clues by looking at social media posts or phishing for information through bogus emails.

Don’t opt for often-used, far too simple combinations such as 123456, password, admin, 1234, UNKNOWN, 12345678, 123456789, 12345, abc123 and Password.

2. Embrace variety

Never repeat the same password, even if it’s super strong like f!P%^&TRf04. If you use the same password on multiple accounts and your system is breached, cybercriminals not only know your password but also can figure out all the sites and apps you visit.

Also avoid using repetitive letters or numbers to make a password longer. Password may be weak, but so is paaaassword. Sequential numbers and letters, such as qwerty, the top row of letters on an English-language keyboard, have the same problem. Don’t add the next four letters either: qwertyuiop.

3. Use at least 12 characters, including your keyboard’s special characters

At least 12 characters is ideal; 20 characters is even better.

Don’t limit yourself to lower- and uppercase letters and numerals. You can use punctuation marks and other symbols to make it a lot less likely that a criminal will guess your combination (think &, @, $, etc.).

Some can work as replacements for letters. For example, D0m8inma$ter@ for “domain master” or G00denuf!1 for “good enough.” Have fun with it.

4. Opt for a passphrase to create a longer, more memorable password

A passphrase can be easier to remember than random mixed characters. It can be a sequence of at least four words without spaces and something meaningful to you, such as myb!rDP0lly#1!, which loosely translates to “my bird Polly is No. 1.”

5. Consider a passkey for verification

A passkey verifies an app or website user through biometrics, such as a fingerprint or facial recognition, using a PIN or swiping to create a pattern. The method uses two keys, one that resides on the app or website and the other through the device accessing it.

Apple syncs its passkeys through its iCloud Keychain, a built-in password manager that allows user access on any Apple devices.
Google has passkeys through its Chrome browser and Android phones, synced to Google Password Manager.
Microsoft offers logins without passwords for Windows users to sign into Microsoft accounts using their face, fingerprint or PIN.

Also possible: A physical security key to log into important accounts.

6. Change your passwords periodically

Cybersecurity experts remain divided on the ideal frequency of modifying passwords, but most suggest every three months. Set a calendar reminder or think about it as part of your routine when the seasons change. If your account has been involved in a data breach or has been compromised in any way, of course, change it immediately.

This story, originally published Jan. 3, 2023, was updated with new password tips, statistics and advice.

%{postComment}%

Marc Saltzman is a contributing writer who covers personal technology. He hosts the podcast series Tech It Out and is the author of several books, including 2024’s Apple Vision Pro for Dummies.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member? Login

Recommended for You

Benefits Recommended For You

See All