How to generate strong passwords (and why length beats complexity)
Everyone has bad password habits. The good news is that generating strong passwords has never been easier, and modern best practices are simpler than the confusing rules of the early 2000s. This guide covers the minimum you need to know.
What makes a password "strong"?
In practical terms: it should be hard for an attacker to guess — both by brute force (trying every combination) and by dictionary attack (trying common words and patterns).
There's a simple way to think about this: entropy, measured in bits. Every bit doubles the time it takes to brute-force the password. A random 12-character lowercase password has about 56 bits of entropy. A random 16-character password mixing upper, lower, digits, and symbols gets you above 100 bits — well beyond the reach of any realistic attacker.
Length beats complexity
Adding one character to a random password is usually worth more than adding another character class. A 20-character lowercase password (≈94 bits) is stronger than a 10-character mixed-case-digits-symbols password (≈66 bits), and it's also easier to type.
Randomness matters
Humans are terrible at random. "P@ssw0rd1" looks complex but is cracked in milliseconds. True randomness comes from a cryptographically-secure source. Every good password tool uses crypto.getRandomValues or equivalent — not Math.random().
When to use a passphrase
Passphrases — four or more unrelated words like correct-horse-battery-staple — trade character randomness for memorability. A 5-word passphrase from a 7,000-word list has ≈63 bits of entropy and is much easier to type on a phone. Use a passphrase for anything you'll type manually (your device password, your password manager master key) and a random string for anything you'll paste from a password manager.
Don't reuse passwords
Breaches happen. If you reuse a password across sites, one leaked site means all those accounts are compromised. Use a password manager to generate and store a unique password per site.
Try it now
Our free password generator creates cryptographically-random passwords with configurable length and character sets, and lets you avoid ambiguous characters like 0/O/l/1 for easier typing.
Quick reference
- Minimum 16 characters for anything important.
- Mix character classes for stored passwords, length for typed ones.
- Never reuse — use a password manager.
- Turn on multi-factor authentication wherever it's offered.