How to Create a Strong Password — The Complete Guide
Most passwords people use are shockingly weak. Here is the science behind strong passwords, when to use a random password generator, and how a password manager changes everything.
The average person has over 100 online accounts. Research consistently shows that the average person also reuses the same 3–5 passwords across most of them. This single habit is responsible for the vast majority of account takeovers — not sophisticated hacking, not zero-day exploits. Just bad passwords used everywhere.
Here is everything you need to know to fix that, starting right now.
Why Weak Passwords Fail
Before building better habits, it helps to understand exactly how passwords get compromised. There are three main attack methods:
Credential stuffing
When a service suffers a data breach, attackers dump millions of stolen username/password pairs online — these are called credential databases. Automated tools then test those same credentials against hundreds of other services: your email provider, your bank, your streaming accounts. If you reuse passwords, one breach exposes everything. This is by far the most common form of account takeover.Brute force attacks
Modern GPUs can test billions of password combinations per second. A 6-character lowercase password has fewer than 309 million possible combinations — a consumer GPU can crack it in under a second. Add uppercase letters and that climbs to 19 billion — still crackable in seconds. Length defeats brute force. A 16-character random password has combinations measured in the quadrillions.Dictionary attacks
Attackers don't always try every combination — they start with the most likely candidates: common words, names, sports teams, years, keyboard patterns, and well-known substitutions. "Password1!", "Summer2024", "qwerty123", "P@ssw0rd" — all cracked instantly from precomputed lookup tables (called rainbow tables). If a human could memorise it easily, assume attackers already have it in their dictionary.What Makes a Password Strong?
Security researchers and standards bodies like NIST (National Institute of Standards and Technology) and OWASP agree on the core principles:
1. Length is the single most important factor
Every additional character multiplies the possible combinations exponentially. A 12-character password is not twice as hard to crack as a 6-character one — it is billions of times harder. For high-value accounts:- 12 characters minimum for basic accounts (social media, forums)
- 16–20 characters for sensitive accounts (email, banking, password manager master password)
- 24+ characters for anything protecting large amounts of money or critical infrastructure
2. Use character variety — but not substitutions
Mixing uppercase letters, lowercase letters, digits, and symbols forces attackers to consider a character set 95+ characters wide per position, dramatically increasing the search space. However:P@ssw0rdis not strong — attackers have substitution tablesTr0ub4dor&3is not strong — it is a famous XKCD example every attacker knows7Kp#Xm2qN9vLis strong — randomly generated with no predictable pattern
3. It must be random — not memorable
Human-created passwords are never truly random. Even when people try to be random, they unconsciously gravitate towards familiar patterns: favourite sports, dates that matter to them, adjacent keyboard keys. True randomness requires a tool that uses a cryptographic random number generator, not a human brain.4. Never reuse passwords across sites
This is non-negotiable. A breach at one service must never compromise your other accounts. Every site gets its own unique password, full stop.How to Generate a Strong Password Right Now
The fastest method: use our free Password Generator. It uses your browser's built-in crypto.getRandomValues() API — the same cryptographic primitive used in SSL/TLS — to generate passwords that are genuinely unpredictable.
Recommended settings for different account types:
| Account type | Length | Character types | |---|---|---| | Password manager master | 20+ chars | All four types | | Email, banking | 16–20 chars | All four types | | Social media | 14–16 chars | All four types | | Low-stakes forums | 12–14 chars | Uppercase + lowercase + digits | | Site with restricted chars | 14+ chars | Exclude symbols if blocked |
The Passphrase Method — When You Need to Memorise It
There is exactly one password you need to memorise: your password manager master password. For that specific use case, a passphrase is often the better choice.
A passphrase is a sequence of random, unrelated words. For example:
correct-horse-battery-staple(four random words)purple-volcano-cassette-fig(four random words)
The key word is random. "ilovemycat" is not a passphrase — it is a predictable sentence from a predictable vocabulary. A proper passphrase uses words selected randomly from a large word list (like EFF's Diceware list) with no semantic connection to each other.
For your password manager master password:
- Open EFF's Large Wordlist (freely available online)
- Roll 5 dice, 5 times to get 5 random numbers
- Look up the corresponding word each time
- Combine with separators:
word-word-word-word-word - This gives you ~65 bits of entropy — extremely secure and memorisable
Use a Password Manager — This Is Not Optional
A password manager stores all your passwords encrypted behind one master password. It generates unique, random passwords for every site and fills them in automatically. You only need to remember one password — or one passphrase.
This is the only practical way to have truly unique, strong passwords for all your accounts without developing repetitive strain injury from constant password resets.
Recommended password managers
Bitwarden — Open-source, independently audited, free tier covers unlimited devices and unlimited passwords. The best starting point for most people. No reason not to use it.
1Password — Polished apps, excellent family and team plans. Paid only (~$3/month personal), worth it for power users who want a premium experience.
iCloud Keychain — Built into Apple devices, zero setup, syncs automatically. Works perfectly if you stay within the Apple ecosystem. Cannot be used cross-platform.
Google Password Manager — Built into Chrome and Android. Convenient if you're all-in on Google. Less transparent about encryption details than Bitwarden.
What to look for in a password manager
- Zero-knowledge architecture — the provider cannot see your passwords, only you can
- End-to-end encryption before data leaves your device
- Independent security audit published publicly
- Open-source code (strongly preferred — anyone can verify the security)
- Breach monitoring — alerts you when saved credentials appear in known data breaches
Password Security Rules by Account Type
Not all accounts carry equal risk. Here is a practical tiered approach:
Tier 1: Protect these at all costs
- Email account — password reset for every other account flows through email; if email falls, everything falls
- Password manager — holds the keys to the kingdom
- Banking and investment accounts — financial impact
Tier 2: Important but less catastrophic
- Social media accounts
- Work accounts
- Healthcare portals
Tier 3: Low stakes
- Forums, content sites, trial sign-ups
Two-Factor Authentication (2FA) — The Safety Net
Even the strongest password can be stolen through phishing — where an attacker tricks you into entering your credentials on a fake site. Two-factor authentication (2FA) means that even if an attacker gets your password, they still cannot access your account without the second factor.
Types of 2FA, ranked from strongest to weakest:
- Hardware security key (YubiKey, Google Titan) — phishing-proof; highly recommended for Tier 1 accounts
- Authenticator app (Authy, Google Authenticator) — time-based codes that change every 30 seconds; much better than SMS
- SMS one-time codes — better than nothing, but vulnerable to SIM-swapping attacks
- Email one-time codes — only as secure as your email account itself
What to Do If Your Password Has Been Compromised
If you receive a breach notification, or you suspect an account has been compromised:
- Change the password immediately using a newly generated strong password
- Check all other accounts where you reused the same password and change those too
- Enable 2FA if it is not already on
- Check breach databases — sites like Have I Been Pwned (haveibeenpwned.com) let you check if your email address appears in known breaches
- Monitor your email and bank for suspicious activity over the next 30 days
Common Password Mistakes to Avoid
| Mistake | Why it fails | |---|---| | Using your name, pet's name, or birthdate | First guesses in targeted attacks | | Keyboard walks (qwerty, 1qaz2wsx) | Pre-loaded in every cracking dictionary | | Substitutions (P@ssw0rd, H3ll0) | Attackers have full substitution tables | | Appending numbers to a word (dragon123) | Dictionary + number brute force is fast | | Short passwords under 10 characters | Crackable in minutes with modern hardware | | Reusing any password anywhere | One breach exposes everything | | Using the site name in the password (facebook2024) | Predictable pattern, often the first guess |
Generate Your Strong Password Now
Stop putting this off. Use our free Password Generator to create a cryptographically secure password right now — set your desired length, choose your character types, and copy it straight into your password manager. Everything runs in your browser, nothing is ever sent to any server.
If you do not have a password manager yet, download Bitwarden (it is free) and set that up first. It takes ten minutes and fundamentally changes your security posture.
Read next: What Is My IP Address and What Does It Reveal About You? — understanding what websites already know about you is the other half of staying private online.