What Makes a Password Strong (and How to Create One That Actually Is)

Why length matters more than special characters, how attackers actually crack passwords, and what genuinely protects your accounts.

How passwords get compromised

Most people imagine a hacker manually guessing passwords one at a time. The reality is very different. The most common attack methods are:

  • Data breaches: A site you have an account on gets hacked and its password database is stolen. If you reused that password anywhere else, every account using it is now at risk.
  • Credential stuffing: Attackers take leaked username and password combinations and automatically try them across thousands of other sites. This is why reusing passwords is so dangerous.
  • Dictionary attacks: Automated tools try millions of common words, phrases, and known password patterns (like replacing letters with numbers: p@ssw0rd).
  • Brute force: Systematically trying every possible combination. Only practical for short passwords or when attackers have a stolen hash to crack offline.

Why length beats complexity

Security researchers and the US National Institute of Standards and Technology (NIST) have shifted their guidance away from complex character requirements toward simply making passwords longer. Here is why: a 20-character lowercase password has far more possible combinations than an 8-character password with symbols.

The number of possible combinations grows exponentially with length. An 8-character password using uppercase, lowercase, numbers, and symbols has about 6.6 quadrillion combinations — which sounds large but can be cracked in hours by modern hardware attacking an unsalted hash. A 20-character random password using only lowercase letters has about 19 septillion combinations — orders of magnitude more.

The practical lesson: aim for at least 16 characters for any account that matters. A random 20-character password is significantly stronger than a clever 10-character one with substitutions.

What actually makes a password weak

  • Common words or phrases ("sunshine", "iloveyou", "letmein")
  • Personal information (birthdays, names, pet names, hometown)
  • Predictable substitutions (@ for a, 3 for e, 0 for o) — these are in every dictionary attack list
  • Short length — anything under 12 characters is vulnerable to brute force
  • Reuse across sites — one breach exposes all accounts using that password
  • Sequential patterns (123456, abcdef, qwerty)

How to generate a strong password

The most reliable approach is to use a random generator rather than inventing passwords yourself. Human-invented passwords tend to follow predictable patterns that appear in dictionary attacks even when they seem creative to us.

A good password for a sensitive account (banking, email, social accounts) should be:

  • At least 16 characters, ideally 20+
  • Randomly generated, not based on a word or phrase
  • Unique — not used on any other site
  • Stored in a password manager, not written down or reused from memory

The free Password Generator on this site creates random passwords at any length you choose, with options to include or exclude uppercase letters, numbers, and symbols to meet different site requirements.

Passphrases as an alternative

A passphrase — four or more random words strung together — is both strong and memorable. "correct horse battery staple" (a well-known example) is 28 characters of random words and far harder to crack than "Tr0ub4dor&3" despite feeling easier to remember. The key is that the words must be randomly selected, not a phrase that means something to you personally.

Two-factor authentication matters more than password strength

Even a perfectly strong password can be stolen through phishing (a fake login page that captures what you type) or through a breach that exposes the password in plaintext. Two-factor authentication (2FA) — requiring a code from your phone or an authenticator app in addition to your password — prevents login even when your password is known. Enable 2FA on every account that supports it, especially email, banking, and social media.

Password managers solve most of this

The only realistic way to use a different strong password on every site is a password manager. It generates, stores, and fills in long random passwords so you only need to remember one master password. Popular options include Bitwarden (free, open source), 1Password, and the built-in password managers in Chrome, Safari, and Firefox. Using a password manager with a strong master password and 2FA is the single most impactful thing most people can do for their account security.

Generate passwords for any site

Use the free Password Generator to create a new password whenever you need one — for new accounts, after a breach, or when updating a reused password. Adjust length and character options to match each site's requirements, then save the result in a password manager.