A strong, secure password is one with enough randomness (entropy) that no attacker can guess it before the universe ends. The fastest way to get one is to use 16 or more random characters mixing uppercase, lowercase, numbers, and symbols, or a 4-5 word passphrase pulled from a large word list. The easiest way to do that without thinking about it is our free Password Generator, which builds the password right in your browser.
Below is the full picture: what actually makes a password strong, the entropy math behind it, how passwords get cracked, where password managers and two-factor authentication fit, and the mistakes that quietly ruin otherwise good passwords.
What Makes a Password Strong?
The strength of a password is measured by entropy — the number of guesses an attacker would need to try, on average, to land on yours. Entropy is driven by two things:
- Length — every extra character multiplies the number of possibilities.
- Character variety — drawing from a larger pool (lowercase + uppercase + digits + symbols) makes each character worth more.
The single most important idea: length matters more than complexity. A long lowercase phrase usually beats a short “complex” password. For example, correct-horse-battery-staple (28 characters) has dramatically more entropy than P@ssw0rd! (9 characters) — even though the second one looks more “secure” because it has symbols and numbers.
Why? Because the short one is also short and it is a dictionary word with predictable substitutions, which attackers test first. We will get to that.
The entropy math (the part that actually matters)
Entropy is calculated as:
bits = log2(pool_size ^ length)
= length × log2(pool_size)
pool_size is how many distinct characters each position can be:
| Character set | Pool size | Bits per character |
|---|---|---|
| Digits only (0-9) | 10 | ~3.32 |
| Lowercase letters | 26 | ~4.70 |
| Lower + uppercase | 52 | ~5.70 |
| Lower + upper + digits | 62 | ~5.95 |
| Lower + upper + digits + symbols | ~95 | ~6.57 |
So a 16-character password drawn from the full 95-character keyboard set has:
16 × log2(95) ≈ 16 × 6.57 ≈ 105 bits of entropy
As a rough rule of thumb for what those bits buy you:
- Under 40 bits — weak. Crackable quickly.
- 60-80 bits — solid for most accounts.
- 100+ bits — overkill for almost any realistic attacker. Use this for your master password and email.
The catch: that math only holds if the characters are random. If a human picks them, entropy collapses, because humans reuse words, put the capital at the start and the number at the end, and lean on the same handful of symbols. That is exactly why a generator beats your imagination.
How Long Does It Take to Crack a Password?
Here is the practical version of the entropy table, assuming a fast offline attack at 10 billion guesses per second (a realistic modern GPU rig attacking a leaked password hash). These are order-of-magnitude estimates, not promises:
| Length | Character types | Approx. combinations | Time to crack |
|---|---|---|---|
| 8 chars | All types (95) | ~6.6 × 10¹⁵ | minutes to hours ⚠️ |
| 10 chars | All types | ~6 × 10¹⁹ | ~190 years |
| 12 chars | All types | ~5.4 × 10²³ | thousands of years ✅ |
| 16 chars | All types | ~4.4 × 10³¹ | far longer than the age of the universe 💪 |
| 20 chars | All types | ~3.6 × 10³⁹ | effectively uncrackable 🔒 |
The jump from 8 to 12 to 16 characters is not linear — it is exponential. Adding four characters does not add a fixed amount of time; it multiplies the time by billions. That is the whole game.
Note the assumption: this is an offline attack where the attacker already stole the hashed password database. Online attacks (typing guesses into a live login form) are thousands of times slower because of rate limits and lockouts. So real-world risk is usually worse than the math when a site stores passwords badly, and better when the site is well-defended.
Passphrases vs. Random Passwords
There are two good ways to hit high entropy. Pick whichever fits the situation.
Random character strings
Example output from a generator:
Length 16, all types:
k7$Rm9!qP2vX@cZf
- Pros: maximum entropy per character, compact, ideal when a site caps password length.
- Cons: impossible to memorize or type by hand — you must use a password manager.
- Best for: every account where the password lives in a manager and you never type it manually.
Passphrases (multiple random words)
The famous “diceware” approach: pick several random words from a long list.
4 random words from a ~7,776-word list:
velvet-cobra-ledger-thunder
Entropy: 4 words × log2(7776) ≈ 4 × 12.9 ≈ 51.7 bits
5 words ≈ 64.6 bits, 6 words ≈ 77.5 bits
- Pros: memorable, easy to type on a phone or a TV remote, surprisingly strong at 5-6 words.
- Cons: longer to type; only secure if the words are chosen randomly, not by you picking a sentence.
- Best for: the few passwords you must memorize — your device login, your password-manager master password.
Quick comparison:
| Factor | Random string | Passphrase |
|---|---|---|
| Entropy per character | Highest | Lower |
| Memorability | Very low | High |
| Typing on mobile | Painful | Easy |
| Best length | 16+ chars | 5-6 words |
| Needs a password manager | Yes | No (for the few you memorize) |
A reasonable default: random 16+ char strings for everything stored in a manager, and one strong 5-6 word passphrase as the master key that protects them all.
How to Generate a Strong Password (Step by Step)
The reliable way is to never invent it yourself.
- Open the free Password Generator.
- Set length to 16 as a baseline, or 20+ for critical accounts (email, bank, password manager).
- Enable all character types: uppercase, lowercase, numbers, and symbols.
- Click Generate. If a site rejects certain symbols, turn symbols off and bump the length up by a few characters to compensate.
- Click Copy.
- Paste it into your password manager as you create or change the account.
Everything happens locally in your browser — you paste nothing in, the password is built on your device, and nothing is uploaded or logged. Generating a fresh, unique value per site takes about five seconds, which is the entire point: it removes the human shortcut that makes passwords weak.
If you want to double-check the entropy of something you already have, count the characters and the character types and run the length × log2(pool_size) formula above.
Password Managers: The Part Most People Skip
A strong, unique password per site is the goal — but no one can remember a hundred 16-character random strings. That is what a password manager is for. It stores all your passwords encrypted behind a single master password (or passphrase), autofills them, and generates new ones on demand.
Popular, well-regarded options:
| Manager | Model | Notes |
|---|---|---|
| Bitwarden | Open source, free tier | Cross-platform, self-host option |
| 1Password | Paid | Polished UX, family/team plans |
| KeePassXC | Open source, local file | You control the encrypted vault file |
| Built-in (Apple/Google/Firefox) | Free | Convenient, tied to your ecosystem |
The workflow with a manager looks like this:
- Create one strong master passphrase you memorize and never reuse anywhere.
- Let the manager generate and store a unique random password for every other account.
- Turn on two-factor authentication on the manager itself.
Now the only password you ever have to remember is the master one — and every account behind it is unique and random. Compromising one site no longer cascades into all the others.
Two-Factor Authentication (2FA / MFA)
Even a perfect password can leak — through phishing, a server breach, or malware. Two-factor authentication adds a second, independent check so a stolen password alone is not enough to log in. From strongest to weakest:
- Hardware security keys (FIDO2 / passkeys) — phishing-resistant, the gold standard.
- Authenticator apps (TOTP) — six-digit codes from an app like Aegis, Authy, or Google Authenticator. Strong and easy.
- SMS codes — better than nothing, but vulnerable to SIM-swap attacks. Use only when no other option exists.
Turn on 2FA everywhere it is offered, and prioritize your email account — because email is the reset path for everything else. Passkeys, the emerging passwordless standard, combine a device-bound secret with biometrics and sidestep password theft entirely; expect to see them on more sites through 2026.
How Password Attacks Work
Knowing how attackers operate explains exactly why the advice above works.
Brute force
Tries every possible combination in order. This is the attack the entropy table defends against — each added character multiplies the search space, so length is the direct counter. A 16-character random password is simply too large a space to exhaust.
Dictionary and rule-based attacks
Instead of trying everything, attackers try likely things first: common words, names, leaked passwords, and predictable mutations of them (password → Password1 → P@ssw0rd!). This is why “complex-looking” human passwords fall fast — the mutations are well known. Randomness from a generator defeats it because there is no word to start from.
Credential stuffing
The most common real-world attack. Attackers take username/password pairs leaked from one breached site and replay them against hundreds of other sites, betting you reused the password. It works alarmingly often. The only defense is a unique password per site — which is exactly what a password manager makes effortless.
Phishing
Tricks you into typing your password into a fake login page. No password strength helps here, because you hand it over. Defenses: a password manager that refuses to autofill on the wrong domain, hardware keys/passkeys that are bound to the real domain, and plain skepticism of login links in email.
Common Mistakes and Pitfalls
Do ✅
- Use 16+ characters (or a 5-6 word passphrase) for accounts that matter.
- Use a different password for every single site.
- Store everything in a password manager.
- Turn on 2FA/MFA, starting with email and your password manager.
- Generate values with our Password Generator instead of typing your own.
Don’t ❌
- Don’t use personal info — birthdays, kids’ or pets’ names, addresses, sports teams.
- Don’t rely on dictionary words with number/symbol swaps; attackers test those first.
- Don’t reuse a password across sites, ever — this is what credential stuffing exploits.
- Don’t share passwords over email, chat, or text.
- Don’t use incrementing patterns like
Spring2026!,Summer2026!. - Don’t force yourself to rotate passwords on a schedule; it leads to weaker, predictable variations.
One more subtle pitfall: security questions. “Mother’s maiden name” or “first car” are often public or guessable, effectively a weak backup password. Treat them like passwords — answer with random strings stored in your manager.
Frequently Asked Questions
How long should my password be?
Use at least 12 characters, and 16 or more for important accounts like email, banking, and your password manager. Length adds entropy faster than any other change, so a long password beats a short complex one. Our Password Generator defaults to a strong length out of the box.
Are passphrases better than random passwords?
Both are strong if they have enough entropy. A 4-5 word passphrase from a large word list is comparable to a 16-character random password and is far easier to type or memorize. Random passwords are more compact, which matters when a site limits length.
Should I change my passwords regularly?
No. Forced periodic rotation pushes people toward weaker, predictable patterns. Use a unique strong password per site and only change it if the site is breached or you suspect compromise.
Is it safe to use an online password generator?
It is safe if the generator runs entirely in your browser and never sends data to a server. Our Password Generator builds the password locally using your browser’s cryptographic randomness, so nothing is uploaded or logged.
Generate One Now
Stop inventing passwords in your head — that is the one step that reliably introduces weakness. Open the free Password Generator, set the length to 16 or more, enable all character types, and copy the result straight into your password manager. It runs in your browser, nothing leaves your device, and it takes about five seconds per account.
Related Guides
- How to Decode a JWT Token — inspect token claims safely in your browser.
- How to Format JSON Online — clean up and validate JSON instantly.
- How to Create a QR Code for Free — generate QR codes without an account.
- Best Free AI Tools (2026) — a roundup of genuinely free, useful tools.