Most advice on creating a strong password is quietly wrong. It tells you to swap an “a” for ”@”, bolt on an exclamation mark, and change it every ninety days — rituals that feel secure but barely slow an attacker down. What actually matters is far simpler, and once you understand it, you will never agonise over passwords again. This guide explains what genuinely makes a password hard to crack, why human-chosen passwords are the real weakness, and how to generate strong ones locally in your browser so the password is never sent anywhere it could be intercepted.
What actually makes a password strong
A password’s strength comes down to one thing: how many guesses an attacker would need to find it. Cryptographers measure this as entropy, and two factors drive it — length and randomness. Length matters because each additional character multiplies the number of possible combinations. Randomness matters because attackers do not guess blindly; they start with dictionaries, common phrases, leaked-password lists, and predictable patterns. A truly random twelve-character string has far more entropy than a sixteen-character password built from a familiar word, because the random one gives the attacker no shortcut.
This is why the classic “complexity rules” are mostly theatre. Forcing one uppercase letter, one digit, and one symbol does little if the result is still Password1! — a pattern every cracking tool tries first. The character mix helps only when the choice of characters is unpredictable. Length plus genuine randomness beats clever-looking substitutions every time.
Why human-chosen passwords are weak
People are terrible random-number generators. Asked to invent a password, we reach for names, birthdays, pet names, sports teams, keyboard walks like qwerty, and the same handful of “clever” tricks everyone else uses. Attackers know this. Modern cracking software does not try aaaa, aaab, aaac in order — it runs through real words, known leaked passwords, and the predictable mutations humans favour: a capital at the start, a number at the end, a→@, e→3, s→$. Those substitutions are in every cracking dictionary, so P@ssw0rd is no harder to break than password.
The other fatal habit is reuse. When one site is breached — and breaches happen constantly — attackers take the leaked email-and-password pairs and try them on banks, email providers, and shops everywhere. This is called credential stuffing, and it is why a single reused password can unlock your whole digital life. A unique password per account contains the damage to one site.
The case for long passphrases
If you must create and remember a password yourself, a passphrase is the strongest approach. String together four or five unrelated, randomly chosen words — something like harbour-violet-cactus-engine — and you get a password that is long, high in entropy, and far easier to type and recall than a tangle of symbols. The key word is randomly chosen: a memorable quote or song lyric is not random and offers little protection, because those phrases appear in cracking dictionaries too. Pick the words at random, not from your own head.
That said, you should only need to actually memorise one or two passphrases — the one for your device and the one for your password manager. Everything else can and should be a long random string you never type from memory.
How to generate a strong password, step by step
A password manager is the practical answer to “how do I remember a unique strong password for every site?” — you remember one master passphrase, and it stores the rest. To create the individual passwords, use a generator. Here is the process with a browser-based password generator:
- Open the generator in your browser. There is nothing to install and no account to create.
- Set the length to at least 16 characters — longer for important accounts like email and banking.
- Choose the character types you want: lowercase, uppercase, numbers, and symbols. More variety raises entropy, though length does the heavy lifting.
- Generate the password. Each one is created using your browser’s cryptographically secure randomness, so it is genuinely unpredictable.
- Copy it straight into your password manager as you create or update the account, and let the manager remember it for you.
Because a good password generator builds the password entirely in your browser, the value is never transmitted to a server — so there is no copy in a log file or in transit for anyone to intercept. That local-only behaviour is exactly what you want from a tool whose entire job is producing a secret.
Password myths worth retiring
A few stubborn beliefs make passwords weaker, not stronger. Forced periodic changes are one: security bodies including NIST now advise against routine expiry, because made-to-change passwords tend to be weak, predictable variations (Spring2025, then Summer2025). Change a password when there is a reason to — a breach, a shared device, a suspicion — not on a calendar. Complexity rules as a substitute for length are another myth; a short password studded with symbols is weaker than a long simple one. And the idea that a password is too long to bother typing ignores the password manager that should be typing it for you.
For everyday security, autofill from a reputable manager combined with two-factor authentication on important accounts does more than any password-rotation policy ever did. You can read how we handle data on our privacy policy page.
Frequently asked questions
How long should a strong password be? At least 16 characters for everyday accounts, and longer for high-value ones such as email, banking, and your password manager. Length adds more strength than any single character rule, so when in doubt, make it longer.
Is swapping letters for symbols, like a to @, actually safer?
Barely. Those substitutions are built into every cracking dictionary, so P@ssw0rd is about as weak as password. Genuine randomness and length protect you; predictable swaps do not.
Is it safe to use an online password generator? It depends on where the password is created. A generator that builds the password in your browser never transmits it, so there is nothing to intercept or log. Our generator runs entirely on your device — the password it makes never leaves your browser.