# Tips for Creating Strong Password

Passwords are the first line of defense for your online life. A weak or reused password can expose you to account takeover, data theft, and financial fraud. Investing a few minutes to craft a robust credential pays off in peace of mind and security.

## 1. Make Every Password Unique

* **Never reuse** the same password on multiple sites.
* If one site is breached, attackers often try stolen credentials elsewhere (the “credential stuffing” attack).
* Use a different, random password for each **critical** account: email, banking, social media.

## 2. Build Complexity with Character Variety

* Combine **uppercase letters** (`A–Z`), **lowercase letters** (`a–z`), **numbers** (`0–9`), and **symbols** (`!@#$%^&*()`).
* Aim for at least **12 characters**. Longer is better!
* Example:

  ```
  MfT&Jsmafe1ad
  ```

  (“My friends Tom and Jasmine send me a funny email once a day” ➔ `MfT&Jsmafe1ad`)

## 3. Use a Memorable Passphrase

* Create a short **sentence** or **acrostic** that’s personal but not guessable.
* Insert numbers and symbols for extra strength:

  ```
  I took 3 storms, & danced in rain! ➔ It3s&dir!
  ```
* Passphrases (20–30 chars) often trump random strings—easier to remember, hard to crack.

## 4. Avoid Predictable Patterns

* **Don’t** use:
  * Sequential letters/numbers (e.g., `abcd1234`)
  * Keyboard patterns (e.g., `qwerty`, `1q2w3e4r`)
  * Personal info (birthdays, names, addresses)
* **Don’t** substitute only a few characters (`P@ssw0rd!` is still weak).

## 5. Rotate & Update Regularly

* Change passwords **every 6–12 months** or immediately after a security breach.
* For non-critical sites, you may update less frequently—but never skip updates after known leaks.

## 6. Secure Storage & Management

* **Use a password manager** (e.g., Bitwarden, 1Password, etc) to:
  * Generate truly random passwords
  * Store and autofill them securely
  * Sync across devices
* **Avoid** plain-text files or browser-saved passwords without encryption.

## 7. Enable Multi-Factor Authentication (MFA)

* Wherever possible, enable **MFA** (SMS codes, authenticator apps, hardware keys).
* MFA adds a second layer: even if your password is stolen, attackers can’t log in without the second factor.

## 8. Beware of Phishing & Social Engineering

* Don’t enter passwords on untrusted links—always verify the site’s URL.
* Watch out for spoofed emails or messages asking for your credentials.

***

## 🔄 Maintaining Password Hygiene

1. **Review your vault**: Delete unused or stale passwords.
2. **Audit breached accounts** with tools like Have I Been Pwned.
3. **Use alerts**: Many password managers notify you of compromised credentials.