Most accounts are still lost to weak or reused passwords, not fancy hacking. The good news: a genuinely strong password is simple to make once you understand what "strong" actually means. This guide explains it in plain terms β and you can create one instantly with our free password generator that runs entirely in your browser.
Three things, in order of importance:
Password strength is measured in entropy (bits of unpredictability). Adding length increases entropy far faster than swapping an "a" for "@". A 16-character random password is astronomically harder to brute-force than an 8-character one, even if the short one has more symbols.
| Length (random, mixed) | Resistance to brute force |
|---|---|
| 8 characters | Crackable β avoid for anything important |
| 12 characters | Reasonable for low-risk accounts |
| 16+ characters | Recommended for email, banking, work |
If you need to remember a password (like your master password), a passphrase of four or more random words β e.g. "violet-harbor-cactus-engine" β is both long and easy to recall. For everything else, let a generator make random strings and store them in a password manager.
1. Use a password manager to store logins. 2. Let it (or our generator) create a unique 16+ character password per site. 3. Protect the manager with a long passphrase. 4. Turn on two-factor authentication wherever possible. You only ever memorize one passphrase.
How long should a password be? 16 characters or more for important accounts; longer is always stronger.
Is it safe to use an online password generator? It is if it runs locally β our generator creates passwords in your browser with cryptographic randomness and never sends them anywhere.
Do I need to change passwords regularly? Only change them if a service is breached or you suspect exposure; forced frequent changes tend to make people pick weaker ones.