If you use the word password, the numbers 1234, or a pet’s name, you have a bad password. How do you make a good password?
Passwords. You have to remember them for pretty much everything, and they’re needed for so much in life. Your bank. Your utilities. Your social. Your email. They are everywhere, and yet they are also the bane of so many existences.
That could be why so many passwords are just staggeringly bad.
Every year, a list of the world’s worst passwords come out (at least one list), and so many of what we use are just so awful, it beggars belief why these passwords persist.
Obvious entries like “123456” — numbers in succession — as well as other obvious passwords like the apt “password”, “qwerty” (like on your keyboard), and “secret” (because all passwords are supposed to be), and a moment of tenderness — “iloveyou”.
Passwords are difficult, it seems, and hundreds of thousands to millions of people are getting them wrong.
Why is that?
Good passwords are difficult
The problem is that good passwords are complex, and weak passwords are unfortunately the norm. It’s a thing that hasn’t changed, and two years ago, research from Telstra indicated that Australians joined the world with their own weak passwords. They were the norm, in essence.
At the time, one in ten Australians were basing passwords on their favourite sports teams, something that could be found through their socials, instead of perhaps creating their own little code based on a phrase only they held secret and important.
As it is still today (in 2025), research from Vodafone suggests Australians are also using pet names, adding to the ease of use with which criminals could plunge into someone’s social feed and extract or guess passwords.
“Common and predictable passwords such as pet names and birthdays are easily cracked by cybercriminals,” said a spokesperson for Vodafone. “It is critical for Austalians to create strong, unique passwords as well as enable technologies like two-factor authentication to protect themselves against online thieves.”
The problem is that “strong, unique passwords” are often difficult to make. They’re often nonsensical combinations of numbers, letters, punctuation and symbols. They don’t make any sense and often need to be stored in a password manager, either the one that’s stored in your web browser or in your operating system, if you happen to be using a recent version of macOS, for instance.
It’s a combination of password design and password storage that makes it difficult to change passwords, but it can be done. Your web browser might even be able to make it for you in the first place, storing and calling on passwords as and when you need them.
But first, you need to find out which of your passwords are bad. And for that, your web browser can help you.
Let your browser or computer tell you
You can quickly find which of your accounts have been in a breach using fellow Australian Troy Hunt’s excellent tool “Have I Been Pwned”, but your web browser can also likely help, as well.
Provided you’ve logged into a web browser, Chrome can tell you whether your passwords have been broken into, and so can the macOS password manager, specifically under the “Security” section, which will cite in red whether you have a “Compromised password” or in grey for a “Reused password”.
Either choice — browser, computer, or even a data breach checking website — can quickly reveal which passwords need changing, so how do you make them better overall?
How do you make a good password?
The problem with knowing you have a bad password is being forced to replace all of them with a good one. And good passwords aren’t easy.
If you’re storing them in your browser, either using the browser’s own native password storage or a solution such as 1Password or LastPass, you can use the browser’s built-in password generators to create seemingly random and secure passwords that you won’t have to recall. It’s the same sort of thing when you’re talking about passwords on recent Macs, with the Passwords app built into macOS also working on iPhone and iPad, too.
But what if you want to build a password from scratch, or at least have it easy to recollect?
If you find yourself in this category, consider coming up with a phrase only you know, and changing some of the letters, adding some punctuation, and then ending it with the letters for the service you’re on.
It’s a deviation on an older password security tip, which would have you add letters specific to the service it was being used with so that the password was only used once.
For instance, if you needed a password for Facebook, and the phrase only you knew was “better to have been loved”, you might collapse it all with some letters and punctuation as “B3tt3rt0hav3!0v3D”, capping the first and last letters, making all uses of the letter “e” into a three (3), turning the “o” into a zero (0), and making an “l” into an exclamation point (!).
This would form your base password with your own cipher, so to speak.
From there, the password could be amended with a few letters defining the password for a specific service. With Facebook, it might be “B3tt3rt0hav3!0v3Dfb” or “B3tt3rt0hav3!0v3D-fb” to remind you that this password is specific to Facebook.
Google Mail might be “”B3tt3rt0hav3!0v3D-gm” or “”B3tt3rt0hav3!0v3D-goom”, with “gm” or “goom” representing Google Mail.
Modifying the password just that little bit makes each password unique, and means if it’s ever broken or leaked, only that one password is at risk, instead of every single website and service sharing the same password.
Will there be a day when passwords aren’t used?
It can be strange to constantly think about passwords, but with World Password Day occurring at the beginning of May as the first Thursday of the month, it’s no wonder it’s top of mind for some of us.
For the moment, passwords are largely what we have for our security, but that won’t always be the case.
Passkeys are taking over, both in the physical and digital sense.
Physical passkeys are a literal key that you can attach to a keyring able to store your passwords. Plug them in when you need a password to change hands, and instead of typing your password, you can let the physical passkey do the work. Business users might rely on them more regularly, but if you’re not a fan of recalling passwords, a physical passkey is easy, and can be used either by plugging in or simply exchanging using NFC.
Digital passkeys are a little different.
Much like how many services use multi-factor authentication to check with your phone before accepting just your password — a feature you should definitely have activated on as many services as possible — digital passkeys use your phone as the source of truth, or any other major device you own.
Passkeys effectively give your phone or another device in your possession a handshake to confirm you are who you say you are, because only you would have that device. They are a way to make passwords easier, and are gradually rolling out across services around the world.
They’re also technically stronger than passwords because of how the handshake is occurring. You don’t have to remember a thing, and you only need your device with you. In essence, your phone or computer is doing all the heavy lifting, so you don’t have to.
