2026-05-126 min read

How to Create Strong Passwords (That You Can Actually Use)

Practical rules for password length, randomness, and managers — plus how to check strength before you reuse a weak one.

Weak passwords are still a top cause of account takeovers. Length and randomness beat clever substitutions like P@ssw0rd every time.

What makes a password strong

  • At least 12–16 characters (longer for master passwords)
  • Random mix of letters, numbers, and symbols
  • Unique per site — never reuse across accounts

Use a password manager

Managers generate and store unique passwords so you only memorize one master passphrase. That single habit prevents cascade breaches when one site leaks credentials.

Check before you commit

Strength meters estimate guessability. They’re not perfect, but they catch dictionary words, short lengths, and common patterns instantly.

Try it instantly

Generate secure passwords with our Password Generator () and check strength with our Password Strength Checker (/tools/password-strength-checker).

The anatomy of an uncrackable password

Modern password cracking uses dictionaries, rule-based mutations, and brute force. A password like 'Password123!' fails all three defences: it is in every dictionary list, the capital P and trailing ! are the first mutations any cracker tries, and 12 characters is crackable in hours with modern GPUs.

What actually makes a password strong:

  • Length above all else. A random 20-character lowercase string beats a 12-character mixed-case string with symbols. Every additional character multiplies the search space exponentially.
  • True randomness. 'MyDog$name1s Rex' feels random but is a predictable pattern. Random means chosen by a machine with no human pattern.
  • Uniqueness per site. A strong password reused across 10 sites is 10× weaker than a single-site password because one breach exposes all 10 accounts.

Passphrase vs random password

A passphrase is 4–6 random words strung together: 'correct horse battery staple'. This approach (popularised by xkcd) produces passwords that are easy to type and remember, extremely long (20–30 characters), and statistically very strong against brute force.

A random password like 'xK#9mQ!vLp2s' is shorter but harder to type and impossible to remember. For passwords you type daily, passphrases win. For everything else, use a password manager and generate fully random passwords — length 20+, all character types.

Password manager setup in 3 steps

If you are not using a password manager, start today. The setup takes 10 minutes:

  • Choose a manager: Bitwarden (free, open source), 1Password (paid, excellent UX), or Dashlane. All store passwords encrypted — even the provider cannot read them.
  • Create one very strong master password — this is the only one you need to memorise. Use a passphrase of 5+ random words.
  • Import or add your existing passwords, then let the manager generate new random passwords when you next log into each site.

After setup, you never need to think about passwords again. The manager generates, saves, and fills them automatically.

FAQ

How long should a password be? Minimum 12 characters for low-stakes accounts, 16+ for email and banking, 20+ for anything generated by a password manager. Length matters more than complexity — 'correcthorsebatterystaple' (25 chars, all lowercase) is stronger than 'P@ssw0rd!' (9 chars, mixed).

Are password managers safe? Yes, when you use a reputable one. Bitwarden, 1Password, and Dashlane use zero-knowledge encryption — your passwords are encrypted on your device before being stored. The provider cannot read your passwords even if their servers are breached. The risk of NOT using a manager (reusing passwords, weak passwords) is far greater.

What makes a password weak? Dictionary words, names, dates, keyboard patterns (qwerty, 123456), anything under 10 characters, and any password you have used before. The most common passwords in breach databases are: 123456, password, 12345678, qwerty, abc123, password1, 111111, and 1234567.

Should I change passwords regularly? Only if you suspect a breach. Mandatory regular changes (every 90 days) make security worse, not better — people respond by making weaker passwords that are easier to remember (Password1, Password2, Password3). Change passwords when a site reports a breach, when you leave a job, or when you share access.

Is two-factor authentication more important than a strong password? Yes. Enable 2FA on every account that offers it, especially email, banking, and social media. Even if an attacker has your password, 2FA blocks them. Use an authenticator app (Google Authenticator, Authy) rather than SMS for stronger 2FA.

Try it yourself

Password Generator

Create long, random passwords locally in your browser.

Try it yourself

Password Strength Checker

Score a password for length, complexity, and common-pattern risks.

Explore more tools in the Tools Directory.
Browse all articles →