Avoid passwords you've used elsewhere. We check against publicly leaked databases — only a short hash prefix is sent, never your full password.