What makes a password strong
Attackers rarely "guess" passwords by hand. They use software that tries billions of combinations per second, or they take passwords leaked from one website and try them everywhere else. A strong password defeats both. Three things matter most:
- Length. Each extra character multiplies the number of possible passwords. Length is the most powerful lever you have.
- Randomness. A truly random password has no pattern to exploit. Names, dates, keyboard runs (qwerty) and "P@ssw0rd"-style swaps are all easy to crack.
- Uniqueness. A password used on only one site means a leak from that site cannot unlock your email, bank or anything else.
Why length beats complexity
"Complexity" rules — one uppercase, one number, one symbol — were meant to make passwords stronger, but they often just produce predictable patterns people can remember. Length does far more. The "strength" of a password is measured in bits of entropy: the more bits, the more guesses an attacker needs.
A 16-character password drawn from a full mix of letters, numbers and symbols has well over 100 bits of entropy — far beyond what current hardware can brute-force. A short but "complex" 8-character password has only about 50 bits, which is crackable. The takeaway: longer is stronger.
Two ways to make a strong password
1. A random string. The strongest option is a long, random string of mixed characters, such as v7$Kp2!mQz9wRt4X. Nobody can remember many of these, which is exactly why a password manager exists — to store them for you.
2. A passphrase. If you must memorise it, string together four or more random, unrelated words (for example "copper-violin-meadow-rocket"). The length makes it strong while staying typeable. The words must be random, not a quote or song lyric.
Habits that matter more than the password itself
- Use a different password for every account. This is the single most important rule.
- Use a password manager so you only need to remember one strong master password.
- Turn on two-factor authentication (2FA) wherever it is offered — it protects you even if a password leaks.
- Never share passwords by email or text, and change any password that appears in a breach.
Generate one in your browser
The easiest way to get a long, genuinely random password is a generator. A good one runs entirely in your browser using a cryptographically secure random source, so the password is never sent anywhere. Set the length to 16 or more, include all character sets, and copy the result straight into your password manager.
Frequently asked questions
- How long should a password be?
- Aim for at least 16 characters for important accounts. Length matters more than special symbols, because every extra character makes the password exponentially harder to crack.
- Is it safe to use a password generator?
- Yes, as long as it runs locally in your browser and uses a cryptographically secure random source. Our generator creates passwords on your device and never sends them to a server.
- Should I change my passwords regularly?
- Modern guidance says change a password when there is a reason to — such as a data breach — rather than on a fixed schedule. Using a unique, strong password per site plus 2FA matters far more than frequent changes.