How to Create a Strong Password (Length Beats Complexity)
Most advice about passwords is outdated. Forcing a “P@ssw0rd!” full of symbols feels secure, but the maths says something simpler and more powerful: length is what really protects you.
What makes a password hard to crack
Attackers don’t guess passwords by hand — they use software that tries billions of combinations per second. The only thing that matters to that software is the total number of possible combinations, which is measured in entropy (bits). Every extra character multiplies the possibilities, and adding length increases entropy far faster than adding the odd symbol to a short password.
A 16-character password using just letters and numbers has more entropy than an 8-character password crammed with symbols. That’s why modern guidance — including from security agencies — now emphasises length over forced complexity.
Length beats complexity
Consider two passwords: Xk7!q (5 characters, looks "complex") and correct-horse-battery-staple (28 characters, all lowercase words). The second is dramatically harder to crack, despite having no symbols, simply because it’s longer. Aim for at least 12 characters, and 16 or more for important accounts.
Two good strategies
- Random strings — the strongest option for accounts you don’t type often. A generator produces something like
k9$Lm2&vQ8pZ!4xRusing a cryptographically secure random source. Our Password Generator does exactly this, entirely in your browser, and shows the entropy in bits so you can see how strong it is. - Passphrases — four or more random words strung together are long, strong, and easier to type for the rare passwords you must remember (like your password manager’s master password).
Use a different password everywhere
The biggest real-world risk isn’t a weak password — it’s a reused one. When one site is breached, attackers try the leaked email-and-password combination on every other popular service ("credential stuffing"). A unique password per site means one breach can’t cascade. Nobody can remember dozens of unique strong passwords, which is why a password manager is the single best security upgrade most people can make: it generates and stores a unique password for every account, and you only remember one master passphrase.
Common mistakes to avoid
- Reusing the same password across multiple sites.
- Basing passwords on personal info — names, birthdays, pets.
- Simple substitutions like
@fora; cracking tools know them all. - Short passwords, no matter how many symbols they contain.
Turn on two-factor authentication
Even a perfect password can be phished or leaked. Two-factor authentication (2FA) adds a second step — a code from an app or a hardware key — so a stolen password alone isn’t enough. Enable it everywhere it’s offered, especially for email and banking.
The bottom line
Make passwords long, make them unique, let a password manager handle the rest, and switch on 2FA. Generate strong ones instantly with our Password Generator — it never sends anything over the internet.
Frequently asked questions
How long should a password be?
At least 12 characters, and 16 or more for important accounts like email and banking. Length increases strength faster than adding symbols.
Are random passwords better than passphrases?
Random strings are strongest for accounts stored in a password manager. Passphrases (several random words) are nearly as strong and easier to type for the few passwords you must remember.
Is it safe to use an online password generator?
It is if the generation happens in your browser and nothing is transmitted. Our generator uses your browser’s secure random source and never sends the password anywhere.