Most account breaches don’t come from someone “cracking” a strong password — they come from reused, short or leaked ones. Here’s what actually makes a password strong, and a realistic way to manage them.
Length beats complexity
The strength of a random password comes from its entropy — roughly, how many possibilities an attacker must try. Entropy grows with length far faster than with fancy character rules. A 20-character password is dramatically harder to brute-force than an 8-character one, even if the shorter one has !@#$.
Forced complexity rules (“must contain an uppercase and a symbol”) often backfire: they push people toward predictable patterns like Password1!. Prefer long and random over short and gimmicky. A password generator gives you long, high-entropy strings instantly.
Passphrases: strong and memorable
For the few passwords you must actually type from memory (your device login, your password-manager master password), a passphrase of four or more random words is both strong and memorable — far better than a short “complex” string. The key word is random: pick words you didn’t choose for meaning.
The two rules that matter most
- Never reuse passwords. If one site is breached, attackers try that email/password pair everywhere else (called credential stuffing). A unique password per site contains the damage.
- Use a password manager. You can’t remember 100 unique 20-character passwords — and you shouldn’t try. A manager generates, stores and autofills them. You only remember one strong master passphrase.
Add two-factor authentication (2FA)
Even a perfect password can be phished or leaked. 2FA adds a second step — an authenticator app code or a hardware key — so a stolen password alone isn’t enough. Turn it on for email, banking and anything important. App-based or hardware 2FA is stronger than SMS.
Quick checklist
- Long (16+ characters) and random for site logins → use a generator.
- A memorable random passphrase for your master password.
- Unique per site, stored in a password manager.
- 2FA on important accounts.
- Never store passwords in plain-text notes, spreadsheets or chats.
Generate a strong, random password right now with the free password generator — it uses your browser’s cryptographic randomness and never uploads or stores anything.