What makes a password strong (and how to generate one)

7 min read

Most advice about passwords is a decade out of date. The old rules — a capital letter, a number, a symbol, change it every 90 days — produced passwords that were hard for humans to remember and easy for computers to guess. Here’s what actually determines whether a password protects you, and how to create one in seconds.

Length is the single biggest factor

Every character you add to a password multiplies the number of possibilities an attacker has to work through. That’s exponential growth: an 8-character password drawn from a mix of letters, digits and symbols has a large-but-crackable number of combinations, while a 16-character one is astronomically harder — beyond the reach of brute force for the foreseeable future. If you remember one rule, make it this: longer wins. Aim for at least 16 characters on any account you care about.

Randomness matters as much as length

A long password built from real words, names, dates or keyboard patterns (“Summer2024!”) is far weaker than its length suggests, because attackers don’t guess randomly — they try dictionaries, common substitutions and leaked passwords first. True strength comes from unpredictability. A password generated from a cryptographically secure random source, like our Password Generator, has no pattern to exploit, so its full length actually counts.

The mistake that undoes everything: reuse

Even a perfect password fails if you use it in more than one place. Data breaches happen constantly, and when one site leaks its passwords, attackers immediately try the same email-and-password combination on banks, email providers and shops — an attack called credential stuffing. A unique password per account contains the damage of any single breach to that one account. This is the highest-impact habit in all of personal security.

How to manage unique passwords without memorising them

You can’t remember a hundred random 16-character strings, and you shouldn’t try. The workable system is simple:

  • Use a password manager to store and autofill your logins. You remember one strong master password; it remembers the rest.
  • Generate a new random password for every account with a tool like the Password Generator, and paste it straight into the manager.
  • Turn on two-factor authentication wherever it’s offered, so a stolen password alone isn’t enough to get in.

What about passphrases?

A passphrase — several unrelated random words strung together — is a good option for the handful of passwords you must type from memory, like your device login or your password-manager master password. The key word is random: four words chosen by dice or software, not a memorable quote. For everything else, a fully random generated password stored in a manager is stronger and requires no memory at all.

Quick checklist

  • At least 16 characters — longer is better.
  • Generated randomly, not based on words or patterns.
  • Unique to every single account.
  • Stored in a password manager, protected by 2FA.

None of this requires expertise or expensive tools. Generate a strong, unique password in your browser with the Password Generator — it runs entirely on your device, so the password is never sent anywhere — save it in your manager, and move on. That’s modern password security in a nutshell.

Tools in this guide