A password like “123456” is guessed in less than a second. A password based on a personal phrase of 16 characters resists for centuries. The difference? A few tricks you are about to discover.
Password security is the foundation of your online safety. But creating a “strong” password does not mean creating something impossible to remember. There are simple methods, approved by security experts, that let you create passwords that are both robust and memorable.
Why your current passwords are probably too weak
The most used passwords
According to the annual NordPass study (November 2025), the most common passwords remain: 123456, password, qwerty123, and similar. These are the first ones tested by automated hacking software — guessed in less than a second (source: Hive Systems “Password Table”, 2025).
The real security criterion: length
Contrary to popular belief, it is not complexity (capitals, numbers, symbols) that makes a password strong, but primarily its length. The NCSC recommends three random words; the ANSSI recommends a minimum of 12 characters.
- 8-character password with letters, numbers and symbols: cracked in hours
- 12-character password with letters only: cracked in years
- 16-character password: cracked in centuries
The passphrase method: simple and effective
How it works
Step 1: Choose a personal phrase you will not forget.
- “My grandson Lucas turned 7 in March”
Step 2: Take the first letter of each word, keeping numbers and punctuation.
MgLt7iM
Step 3: Add a special character to strengthen it.
MgLt7iM!
Concrete examples for seniors
| Personal phrase | Password | Length |
|---|---|---|
| ”Every morning I walk Rex in the park at 9” | EmIwRitp@9 | 10 chars |
| ”My daughter Sophie lives in York since 2015” | MdSliYs2015! | 12 chars |
The 3 random words method
The UK’s NCSC recommends choosing 3 words with no link between them (source: NCSC “Three random words” guide, 2025).
Examples:
tulip-radiator-wednesdaychocolate-umbrella-jupitercherry-tramway-library
These passwords are long (25-30 characters), extremely resistant to cracking, and easy to remember through a mental image.
Password managers: the solution for remembering nothing
What is it?
A password manager stores all your passwords in an encrypted digital vault. You only need to remember one master password.
Bitwarden: free, simple and recommended
- Free for personal use
- Open source: publicly audited code
- Available on computer, phone and tablet
- Simple: integrates with your browser and auto-fills passwords
How to install Bitwarden
On computer: Go to bitwarden.com > Create a free account > Choose your master password (use the passphrase method!) > Install the browser extension
On phone: App Store or Play Store > Search “Bitwarden” > Install > Log in
Choosing a good master password
Use a long passphrase: “My Bitwarden vault protects my 25 accounts since 2026” > MBvpm25as2026!
Write it on paper, keep it safe. Once memorised, destroy the paper.
What you must never do
- Use the same password everywhere — if one site is breached, all accounts are compromised
- Write passwords on a Post-it stuck to the screen
- Send a password by email or text — these channels are not secure
- Use a single dictionary word — cracked in seconds
- Trust security questions — “pet’s name?” is often findable on social media
Two-factor authentication: extra protection
Two-factor authentication (2FA) adds a security layer beyond the password. When you log in, the site sends a code by text or to an app. Even if someone knows your password, they cannot log in without this code.
Where to enable it first
- Your main email (the key to all other accounts)
- Your online banking
- Your health service accounts
- Your social media (Facebook, WhatsApp)
Check if your passwords have already been stolen
The site haveibeenpwned.com lets you check for free if your email appears in breached databases.
- Go to haveibeenpwned.com
- Enter your email
- The site tells you if your data has been compromised
If your email appears, immediately change the password of the affected service and all accounts using the same password.
Summary: the 5 rules to remember
- A different password for each important site (bank, email, health, tax)
- Minimum 12 characters — use the passphrase or 3 random words method
- Never share a password by email, text or phone
- Enable two-factor authentication on sensitive accounts
- Use a password manager (Bitwarden, free) if you have many accounts
Editorial note
Sources consulted: ANSSI 2024, NCSC “Three random words” 2025, CNIL 2024, NordPass 2025, Hive Systems 2025, Have I Been Pwned December 2024, 01net January 2026.
Limitations: Password cracking time estimates are based on current computing power and may change. Minimum length recommendations may increase in coming years.
Verification date: 26 March 2026
Conflicts of interest: none
Questions fréquentes
-
The NCSC (UK National Cyber Security Centre) recommends using three random words as a password. The ANSSI recommends a minimum of 12 characters. Longer passwords are harder to crack, even without special characters.
-
No, this is strongly advised against. If one site is breached and your password stolen, criminals will automatically try it on other sites (bank, email, etc.). Use a different password for each important account.
-
Two solutions: the passphrase method (create a different phrase for each site) or a password manager like Bitwarden (free) which remembers all your passwords for you. You then only need one master password.
-
A password manager is an app that stores all your passwords in an encrypted vault. Bitwarden, recommended by security experts, is free and open source. Your passwords are protected by military-grade encryption (AES-256).
-
Always use the 'Forgotten password' button on the relevant site. You will receive an email to create a new one. Never ask someone to recover it for you and beware of sites claiming to recover passwords.