Are long passwords better than complex passwords?

Yes. In modern cryptography, length defeats complexity. A 20-character password made entirely of lowercase letters is mathematically much harder for a computer to crack than an 8-character password packed with numbers and symbols.

Is changing a letter to a number a good strategy?

No. Replacing the letter 'a' with '@' or changing 'E' to '3' is a technique called 'leetspeak.' Hackers integrated these predictable substitutions into their automated cracking algorithms twenty years ago. It offers almost zero additional security.

How often should I change my passwords?

Contrary to old advice, NIST guidelines now recommend that you only change a password if you suspect it has been compromised in a data breach. Forcing users to change passwords every 90 days results in predictable, weaker passwords (like Password2023 becoming Password2024).

The 5 Biggest Mistakes People Make When Creating Passwords

Let's play a guessing game. You need to create a password for a new streaming service. The website tells you it requires at least one capital letter, one number, and one special character.

You think about your dog, Max. You capitalize the M. You add the year you were born, 1985. You finish it off with an exclamation point to satisfy the special character rule. You type Max1985! and the website gives you a green checkmark. "Strong Password," it says.

Here is the terrifying reality: A modern automated hacking rig, armed with a few high-end graphics processing units (GPUs), would crack Max1985! in approximately 3 seconds.

Human beings are incredibly predictable. We think we are being clever, but because our brains are wired to identify patterns, we all tend to use the exact same tricks when faced with password creation rules. If you want to protect your digital life, you have to stop thinking like a human and start thinking like a machine.

Here are the five biggest mistakes people make when creating passwords, and how to fix them today.

Mistake #1: The Illusion of "Leetspeak" Substitution

This is arguably the most common mistake on the internet. You take a normal word, like "Password," and you substitute letters for numbers or symbols that look similar.

Password becomes P@ssw0rd.

Sunshine becomes 5unsh1n3.

In the late 1990s, this was a decent strategy. Today, it offers absolute zero protection. Why? Because hackers don't sit at a computer guessing passwords manually. They use software called "cracking dictionaries."

These cracking programs already know every single common substitution in existence. The algorithm doesn't just guess "Sunshine." It automatically calculates and tests 5unshine, $unsh1ne, and 5un5h1n3 in a fraction of a millisecond. If your password is just a dictionary word wearing a cheap disguise, the machine sees right through it.

Mistake #2: The Increment Trap

For decades, corporate IT departments gave terrible advice: "You must change your password every 90 days."

This led to a phenomenon called password incrementing. An employee would set their password to MiamiTech1! in January. In April, when forced to change it, human laziness kicks in. They simply change it to MiamiTech2!. In July, it becomes MiamiTech3!.

If an attacker breached the company in January and stole that first password, they don't even need to hack the system again in August. They just run a simple script that adds sequential numbers to the end of your old password, and they walk right through the front door.

This is why the National Institute of Standards and Technology (NIST) recently updated their official guidelines: Stop forcing mandatory expiration dates. Only change a password if you suspect it has actually been compromised in a breach.

Mistake #3: Prioritizing Complexity Over Length

Which password do you think is harder for a computer to crack?

Password A: rT5!p@X1 (8 characters, highly complex)
Password B: blueoceansundaysweater (22 characters, only lowercase letters)

To human eyes, Password A looks much more secure. But computers don't have eyes; they have math.

Because Password A is only eight characters long, a modern GPU cluster can brute force (guess every single possible combination of characters) the entire eight-character spectrum in a matter of hours.

Password B has zero numbers and zero symbols. But because it is 22 characters long, the mathematical possibilities jump into the trillions. It would take a supercomputer millions of years to guess every 22-character combination. In the digital world, Length always defeats Complexity.

Mistake #4: The Recycling Bin

Most internet users have one "master" password that is incredibly strong, and they use it for their bank, their email, their Netflix account, and the random forum they signed up for to ask a single question about car repair.

This is called password recycling, and it is how massive identity theft actually happens.

Hackers rarely try to breach your heavily-guarded bank account directly. Instead, they hack that small, poorly-secured car repair forum. Once they steal the database, they have your email address and your password. They take those two pieces of information and run automated scripts testing them on Gmail, Chase Bank, PayPal, and Amazon.

Because you recycled the password, one breach on a tiny, irrelevant website compromises your entire financial life.

Mistake #5: Trusting the "Security Question"

When you set up a secure password, websites often ask you to choose a security question for account recovery. Things like:

What is your mother's maiden name?
What city were you born in?
What was the name of your first pet?

These are massive security vulnerabilities. Anyone who spends ten minutes looking at your Facebook, LinkedIn, or public property records can find out your mother's maiden name or your hometown. You are effectively replacing your 16-character secure password with a backdoor that can be opened using public information.

The Fix: Lie. When a website asks for your first pet's name, don't write "Buster." Write a completely random password like YellowTrain92. Treat the security question answer exactly like another password.

The Ultimate Fix: Passphrases & Generators

Human brains are terrible at creating randomness. The only true way to avoid all 5 of these mistakes is to completely remove your own brain from the password generation process.

You need to use a dedicated software utility to create your passwords. When setting up a new account, open a Password Generator, select a length of 16 to 20 characters, and let the algorithm spit out absolute mathematical chaos.

Once you generate it, run it through a Password Strength Checker just to verify its entropy (randomness). Then, save it in a secure, zero-knowledge password manager.

By automating the creation process, you ensure you never fall into the trap of using your dog's name, substituting an "E" for a "3", or recycling credentials ever again.

🔐 Generate an Unhackable Password →

Frequently Asked Questions

What is a "passphrase" and should I use it?

A passphrase is a sequence of random dictionary words (e.g., "coffee-stapler-river-carpet"). It leverages the "length defeats complexity" rule. They are incredibly strong mathematically, but vastly easier for humans to type and remember than random characters. They are highly recommended for your master passwords.

Is writing my password on a piece of paper safe?

Surprisingly, yes! Unless you live with untrustworthy roommates or you are a high-level corporate executive facing physical corporate espionage. A hacker in Russia cannot read a sticky note hidden beneath your keyboard. Physical paper is immune to digital malware.

How do I know if my old passwords fell into the recycling trap?

You can check databases like "Have I Been Pwned" (HIBP). You enter your email address, and they safely check it against thousands of known data breaches to see if any of your old accounts have leaked their passwords to the dark web.

Written by the Footprint Team

We build free, privacy-first online tools for everyone. Ditch your weak passwords and use our free Security Tools → to stay safe online.