Most people have been given the same password advice for years: use uppercase letters, numbers, and symbols. That advice is incomplete — and sometimes actively bad. Here’s what actually makes a password strong, and why.
The Single Most Important Factor: Length
Password strength comes primarily from length, not complexity. A 16-character password made of random lowercase letters is harder to crack than an 8-character password with mixed case, numbers, and symbols.
Here’s why: every character you add multiplies the number of possible combinations. An 8-character password with 72 possible characters (upper, lower, digits, symbols) has 72⁸ = ~722 billion combinations. A 16-character lowercase password has 26¹⁶ = ~43 trillion combinations. The longer password wins — by a factor of 60.
Minimum recommendations by use case:
| Account type | Minimum length |
|---|---|
| Low-stakes (forums, newsletters) | 12 characters |
| Standard (email, social media) | 16 characters |
| High-stakes (banking, work accounts) | 20+ characters |
| Master password (password manager) | 25+ characters |
What Makes a Password Weak
These patterns are well-known to password-cracking software and should be avoided:
- Dictionary words —
sunshine,dragon,letmeinare tried first in any dictionary attack - Common substitutions —
p@ssw0rdis just as predictable aspasswordto modern crackers - Personal information — names, birthdays, pet names, addresses are guessable from social media
- Keyboard patterns —
qwerty,123456,asdfghare among the most common passwords worldwide - Short passwords — anything under 12 characters can be brute-forced in hours with modern hardware
- Reused passwords — if one site is breached, every account using that password is compromised
Randomness Is What Matters
A strong password isn’t just long — it’s unpredictable. The problem with passwords humans create is that they aren’t truly random. We have patterns: we capitalize the first letter, put numbers at the end, replace letters with similar-looking symbols.
True randomness comes from a cryptographically secure random number generator — the same kind used in security software. Our password generator uses the browser’s built-in crypto.getRandomValues() API, which produces genuinely unpredictable output. Nothing is sent to any server.
The Case for a Password Manager
The honest problem with strong passwords is that they’re hard to remember. A 20-character random string like K7#mP2xQ9nL4vR8jT6 is strong, but you can’t memorize 50 of them for every account you have.
The solution is a password manager: software that stores all your passwords encrypted behind one master password. You only need to remember one password — the rest are generated randomly and stored securely.
Well-regarded options:
- Bitwarden — open source, free tier is excellent, self-hosting option available
- 1Password — polished apps, family/team plans
- KeePassXC — fully offline, open source, file-based
With a password manager, you can use a unique 20-character random password for every account — and never remember any of them.
Two-Factor Authentication: The Second Layer
Even a strong password can be stolen through phishing, data breaches, or malware. Two-factor authentication (2FA) adds a second requirement beyond the password — typically a time-based code from an app (TOTP) or a hardware key.
With 2FA enabled, a stolen password alone is useless. Enable it on every account that supports it, starting with email and banking.
TOTP apps: Aegis (Android, open source), Raivo (iOS), or Authy (cross-platform).
Common Password Mistakes
Mistake 1: Using the same password everywhere One breach exposes every account. This is how most account takeovers happen — credentials from one breached site are tried on thousands of others (credential stuffing).
Mistake 2: Writing passwords in plaintext Sticky notes, unencrypted text files, or spreadsheets are not secure storage. Use a password manager.
Mistake 3: Answering security questions honestly “What was the name of your first pet?” is often findable from social media. Treat security question answers like passwords — generate a random string and store it in your password manager.
Mistake 4: Relying on periodic forced changes
Forced password rotation (change every 90 days) is outdated security advice. Modern guidance from NIST (US National Institute of Standards and Technology) recommends only changing passwords when there’s evidence of compromise — frequent rotation leads to weaker passwords like Summer2024!.
How to Check If Your Password Was Breached
Have I Been Pwned (haveibeenpwned.com) maintains a database of billions of credentials from known breaches. You can check if your email address appears in any breach, and many password managers do this automatically.
If a password appears in a breach database, change it immediately — even if it’s a strong password.
Summary
A strong password is long (16+ characters), random, and unique to each account. Length matters more than complexity. The practical solution is to use a password generator for every new account and store everything in a password manager.
Use our password generator to create cryptographically random passwords — all processing happens in your browser, nothing is transmitted anywhere.