How to create a secure password: Rules, examples, and special characters
Posted on
by
Doris Muthuri

A secure password is long, unique, hard to guess, and not reused across accounts. Letters, numbers, and special characters all play a part, but length and unpredictability count for much more than tacking a symbol onto a weak password.
Most account trouble starts with small habits, like reusing one password everywhere or picking something short and easy to type. If a password like that turns up in a data breach, every account using it is open to whoever finds it.
This guide explains what makes a password secure, what special characters actually do, and how to create stronger passwords you can still keep track of, with clear examples throughout.
What is a secure password?
Meeting a website’s minimum requirements isn’t the same as being secure. Most passwords caught up in real breaches were weak ones to begin with: the 2025 Verizon Data Breach Investigations Report found that only 3% of compromised passwords met even basic complexity rules. The lesson isn’t that complexity is pointless. It’s that a capital letter, a number, and a symbol on their own won’t carry a password that’s short, obvious, or used in more than one place.
What makes a password secure?
No single trick makes a password secure: not a special character, not a number tacked on the end. Strength comes from a few things working together.
- Length: The longer a password, the harder it is to crack, because every extra character adds far more combinations to work through. Aim for at least 12 to 16 characters.
- Uniqueness: Give every important account its own password. If one is caught in a breach, the others aren’t exposed along with it.
- Hard to guess: Steer clear of common words, predictable patterns, and simple sequences like “1234” or “qwerty,” the first things attackers test.
- No personal details: Leave out anything someone could find or work out about you, such as your name, birthday, address, or a pet’s name.
- Safe storage: Even a strong password loses value if it’s written somewhere others can see it or shared with people who don’t need it. Using a password manager helps, keeping them in one place behind a single master password, so you don’t have to remember each one.
What are characters and special characters in a password?
A character is any single item you can type in a password: a letter, a number, a symbol, and on some sites a space. Password length counts these characters, so a 12-character password contains 12 of them.
A special character is one that isn’t a letter or number, such as a punctuation mark or keyboard symbol: !, @, #, $, %, &, *, or ?. Many websites require at least one, because it widens the range of possible passwords and rules out the simplest letter-only choices.
Special characters add range, but only as part of the bigger picture. That’s why “Password1!” is still weak: it’s short, built on a common word, and its capital, number, and symbol sit in the exact spots attackers check first. A special character does its job inside a long, unpredictable password, not as a flourish on the end of a weak one.
Practical tips for building a strong password
Attackers rarely guess passwords by hand. They run tools that test the most common passwords, leaked credentials, and predictable patterns first, then fall back on trying every combination. The longer and less predictable your password, the further down that list it sits, and the less likely it is to be cracked.
The tips below turn the principles above into something you can act on.
Use at least 12 to 16 characters
Length matters more than complexity. A long password is usually harder to crack than a short one filled with random symbols and numbers, which is why many security professionals recommend longer passwords or passphrases whenever possible. If you only change one thing about your passwords, make them longer.
Mix letters, numbers, and special characters
Use different types of characters in your password. A strong password can include uppercase letters, lowercase letters, numbers, and special characters.
Don’t rely on just one character type. A password made up of only letters or only numbers is usually easier to crack than one of the same length that uses a mix of characters. Many websites also require a combination of character types as part of their password rules.
Use a passphrase made up of unrelated words
A passphrase is a password made up of several words instead of a single word. Using unrelated words can make your password easier to remember without making it easy to guess. The words shouldn’t form a common phrase or have an obvious connection to each other. For structure, picture three or four unrelated words you can see in your mind, like a household object, an animal, and a color that have nothing to do with one another.
Think of a passphrase as a sentence that only makes sense to you. Random combinations are much harder for attackers to predict than common expressions, famous quotes, or song lyrics. The less predictable the words are together, the better.
Avoid personal information and common words
Attackers don’t start from scratch. They look for details connected to your life on social media, public profiles, and past data breaches, then try them first, so a name, birthday, phone number, address, or pet’s name is easier to guess than it feels. Anything someone could turn up in a quick search is a weak foundation. Plain dictionary words on their own are worth avoiding too, since they’re among the first things automated tools try.
Create a unique password for every account
Use a different password for every account you own. If attackers get hold of one password through a data breach, phishing attack, or malware infection, they will often try the same password on your other accounts. This is known as credential stuffing, and it’s one of the most common ways attackers gain access to multiple accounts.
Keeping passwords unique limits the damage if one account is compromised. If attackers gain access to one password, they won’t automatically have access to everything else.
Avoid common password patterns and substitutions
When creating a password, avoid following familiar formulas. Attackers don’t just guess passwords. They also look for common patterns that millions of people use. Examples include adding a number at the end of a password, putting a capital letter at the beginning, or using the current year, such as Summer2026 or Welcome123. Keyboard patterns fall into the same trap, like qwerty, asdf, or a straight run of side-by-side keys.
Simple substitutions can also be predictable. Many people replace letters with similar-looking characters, such as a with @, e with 3, or s with $. Password-cracking tools are designed to recognize these substitutions and test them automatically. The less predictable your password structure is, the harder it becomes for attackers to guess how it was created.
Secure password examples and what makes them stronger
Seeing how a stronger password is built makes it easier to understand what separates it from a weak one. The patterns below take different approaches, but they all follow the same security principles. Use them as a guide for building your own.
| Password structure | What makes it stronger |
| Four unrelated words, each capitalized, with a number and symbol worked in ((River7Lantern!TigerCoffee) | Unrelated words are harder to predict than a common phrase or a single word. |
| The first letter of each word in a sentence only you would know, with a few numbers and symbols mixed in | Turns a sentence you can remember into a string that looks random, so it’s hard to guess but easy to recall. |
| Several words joined by special characters spread throughout, not just one at the end (Coffee!banana$ morning&river@Grace) | Spreading symbols through the password makes it harder to crack than adding a single symbol on the end. |
| Six or more unrelated words linked with hyphens (June-stay-true-Lantern-light-tuesday) | Length alone carries this one. Six words are hard to guess even without numbers or symbols, and easier to remember than a random string. |
Common password mistakes to avoid
Even a strong password is only as safe as the way it’s handled. These habits put accounts at risk even when the password itself is well built.
- Reusing your email password on other accounts: Your email is where password resets land, so anyone who reaches it can reset the password on your other accounts and lock you out. Give your email its own password and don’t reuse it anywhere else.
- Keeping a password after a breach notice: When a service warns that your details may have been exposed, the old password should be replaced, even if nothing has happened yet. Change it on that account, and anywhere else you use it, as soon as you hear.
- Sharing passwords with others: Shared passwords increase the number of people who can access an account and make it harder to control who has access over time. While sharing is common in some households and workplaces, security experts generally recommend using separate accounts or approved sharing features when available.
- Storing passwords in unsecured locations: Saving passwords in unprotected notes, documents, or messages exposes them if your device is lost, stolen, or compromised. In 2025, researchers reported the discovery of roughly 16 billion exposed login records collected from infostealers and previous breaches, highlighting the risks of credential theft.
Use a password manager to make secure passwords easier to manage
One of the biggest challenges with password security is remembering a different password for every account. As your number of accounts grows, it becomes tempting to reuse passwords or choose simpler ones that are easier to remember.
A password manager takes that pressure off. Instead of memorizing dozens of passwords, you only need to remember one master password. The password manager then does the rest:
- Stores all your passwords in one place
- Creates a unique password for every account
- Generates long, random passwords automatically
- Fills in passwords when you sign in
- Keeps track of passwords you rarely use
This makes it easier to follow good password habits without relying on memory alone, so you end up with stronger passwords across every account and spend less time managing them. Your master password is the one to get right, since it protects all the others.
Strong passwords are only one part of account security
A strong password is one of the best ways to protect your accounts, but it can’t stop every threat. Attackers also use phishing emails, fake websites, malware, and other tactics to steal passwords or trick people into handing them over. That’s why a strong password works best alongside other security habits.
- Turn on two-factor authentication (2FA): Two-factor authentication adds a second verification step when you sign in. Even if someone steals your password, they still need that second factor to get in.
- Watch out for phishing scams: Attackers send emails, text messages, and fake login pages built to trick you into revealing your password. Always check that you’re on a legitimate website before entering your details.
- Keep your Mac and apps up to date: Software updates often include security fixes that close the vulnerabilities attackers exploit.
- Be careful with downloads and links: Malicious files, fake software, and suspicious links can install malware that steals passwords or other sensitive information.
- Use security software to catch what passwords can’t: A strong password won’t stop malware built to steal your login details. Intego Antivirus detects and removes malware, spyware, malicious downloads, and other threats that could put your passwords and personal information at risk.
Building better password habits
A strong password doesn’t need to be impossible to remember, but it should be long, unique, and hard for anyone else to guess. Leave out personal information and common words, and don’t reuse the same password across accounts. That way, if one account is ever caught in a data breach, the leaked password won’t open any of your others.
Creating better passwords doesn’t require complicated rules or random strings you’ll forget tomorrow. Focus on the fundamentals from this guide: use a different password for every account, lean on a password manager so you don’t have to remember them all, and make these habits part of how you go online.
Frequently asked questions
What is a special character in a password?
A special character in a password is a symbol that isn’t a letter or number. Special characters can make a password harder to guess when they’re used as part of a long, unique password.
How long should a secure password be?
A strong password should be at least 12 to 16 characters long. Longer passwords are generally harder for attackers to crack, which matters more than how many symbols or numbers you add.
Is a longer password better than a more complicated password?
Yes. In most cases, a longer password is more secure than a shorter password with lots of symbols and numbers. Length increases the number of possible combinations attackers have to crack, which makes the password much harder to break.
Should I use the same password for multiple accounts?
No. Using the same password for multiple accounts creates a single point of failure. If an attacker discovers that password through a data breach, phishing attack, or malware infection, they can access every account that uses it. A unique password for each account helps contain the damage if one account is compromised.
When should I change my password?
You should change your password immediately if you think it has been exposed, stolen, or used by someone else. Signs include a data breach notification, suspicious account activity, unexpected password reset emails, or logins from unknown devices or locations.
Do I need special characters in every password?
Not necessarily. A long, unique password is more important than including special characters. However, adding special characters can make a password harder to guess and may be required by some websites or services.
Can a password contain spaces?
Yes, many passwords can. Using spaces between unrelated words helps create a long passphrase that is both secure and easier to remember. Just keep in mind that some websites and apps don’t allow spaces in passwords.
What is the difference between a password and a passphrase?
A password is usually a shorter combination of letters, numbers, and symbols, while a passphrase is a longer sequence of words or a full phrase. Because passphrases are typically much longer, they can be easier to remember and harder for attackers to crack.