Most people know they should use strong passwords. Fewer actually do — because "strong" passwords are typically hard to remember. This guide explains what genuinely makes a password secure, and how to manage strong passwords without memorizing them all.
What actually makes a password strong?
Security researchers agree on three core properties:
- Length — This is the most important factor. Every additional character multiplies the number of possible combinations. A 12-character password is astronomically harder to crack than an 8-character one, even if both use the same character types.
- Randomness — Passwords based on real words, names, dates, or keyboard patterns (like
qwerty) are vulnerable to dictionary attacks. True randomness means the characters are unpredictable. - Uniqueness — Using the same password on multiple sites means one data breach compromises all your accounts. Every account should have its own unique password.
Common password mistakes to avoid
These patterns appear constantly in leaked password databases:
- Using a word with a number at the end:
sunshine1,password123 - Replacing letters with similar-looking numbers:
p@ssw0rd - Using personal information: birthdays, pet names, hometowns
- Keyboard walks:
qwerty,asdfgh,123456 - Reusing passwords across multiple sites
- Using the same base password with slight variations:
MyPass1!,MyPass2!
Attackers know all these patterns. Modern password-cracking tools are specifically trained to try them first.
The two best approaches
1. Random character passwords (for most accounts)
A randomly generated string of 16+ characters — mixing uppercase, lowercase, numbers, and symbols — is the gold standard for security. Something like Kx#9mP2@vLqR7nZw. You don't need to remember it; you store it in a password manager (more on that below).
2. Passphrases (for passwords you must remember)
For your master password manager password, your computer login, or any password you genuinely need to type from memory, use a passphrase: four or more random words strung together. Something like correct-horse-battery-staple. This approach was popularized by the webcomic XKCD and later validated by security researchers.
Passphrases work because they're long (typically 25-30 characters) while still being memorable. The key is that the words must be random — not a phrase that means something to you personally.
correct-horse7-battery!-staple. This satisfies requirements without making it harder to remember.How long should a password be?
- Minimum for any account: 12 characters
- Recommended for important accounts: 16–20 characters
- For high-security accounts (banking, email): 20+ characters
- Passphrases: 4+ random words (usually 25-35 characters total)
Use a password manager
The only realistic way to have a unique, strong password for every account is to use a password manager. It generates and stores passwords for you — you only need to remember one master password.
Reputable free options include Bitwarden (fully open-source) and KeePassXC (local storage only). Paid options with extra features include 1Password and Dashlane.
A password manager is far safer than reusing passwords or keeping them in a notes app.
Generate a secure password right now
Our free password generator uses your browser's built-in cryptographic randomness — the same level of randomness used by security software. Nothing is transmitted or stored.
Cryptographically random. Custom length & character types. Bulk generate.