Most password advice is dated. “One uppercase, one number, one symbol” rules push people toward predictable patterns like Password1! that attackers crack in seconds. Here is what actually makes a password strong, and how to make one in a few seconds.
Length is what matters most
A password’s strength comes from how many guesses it would take to find it. Every extra character multiplies that number. A short password full of symbols is weaker than a long one made of plain words, because length grows the search space far faster than complexity does.
Aim for at least 16 characters. If a site allows it, longer is better. For a password you have to type often, a long random string from a password manager is ideal; for one you must remember, a passphrase of four or five unrelated words works well.
Random beats clever
Humans are bad at being random. We lean on names, dates, keyboard patterns, and common substitutions (@ for a, 0 for o) that attackers already account for. A generator using your browser’s secure random source produces something with no pattern to exploit.
- Open the Password Generator.
- Set the length to 16 or more and include the character types the site accepts.
- Copy the result straight into your password manager.
It runs entirely in your browser, so the password is never sent anywhere.
Use a manager, and never reuse
The single biggest risk is reuse. When one site is breached, attackers try that same email and password everywhere else. A password manager removes the need to remember or reuse: it stores a unique, long, random password for every account and fills them in for you.
- Use a different password for every site.
- Turn on two-factor authentication where it is offered.
- Change a password only when you have a reason to (a breach, or a shared secret), not on an arbitrary schedule.
Quick checklist
- 16+ characters
- Random, not based on personal info
- Unique per site
- Stored in a password manager
- Backed by two-factor authentication
Related tools
- Check an existing password’s strength with the Password Strength Checker.
- Generating WordPress secrets? Use the WordPress Salt Generator.
- Need a hash instead of a password? Try the Hash Generator.
Strong passwords are not about memorising clever tricks. Make them long, make them random, store them safely, and let a generator do the hard part.