What actually makes a password strong
For years people were taught that a strong password meant cramming in a capital, a number and a symbol — something like P@ssw0rd!. That advice is now considered outdated and, worse, counterproductive. It produces passwords that are hard for humans to remember but easy for computers to guess. The real measure of strength is entropy: the total number of possibilities an attacker would have to try. Two things drive entropy — length and unpredictability — and length is by far the more powerful of the two.
Why length beats complexity
Each character you add multiplies the number of possible passwords. Adding character types only widens the alphabet a little; adding length compounds. A purely lowercase password of 16 characters has vastly more combinations than a chaotic 8-character password using every symbol on the keyboard, simply because the search space grows exponentially with length.
| Password | Length | Rough strength |
|---|---|---|
| P@ssw0rd! | 9 | Weak — based on a dictionary word |
| Tr0ub4dor&3 | 11 | Weak — predictable substitutions |
| correct horse battery staple | 28 | Strong — long and random words |
| 7xQ!mP2vLkZ9rT4w | 16 | Very strong — long and random |
This is the logic behind the passphrase: four or five random, unrelated words. It is long enough to be extremely hard to crack, yet far easier for a person to remember than a short string of gibberish. The key word is random — a famous song lyric or a common phrase has almost no entropy because attackers feed exactly those into their guessing tools.
How passwords are really broken
Attackers almost never sit and type guesses. They work offline against stolen databases and at enormous speed, which is why the math matters:
- Credential stuffing. They take passwords leaked from one breached site and try them on others. This is why reuse is the single most dangerous habit — one breach unlocks every account sharing that password.
- Dictionary attacks. They try common words, names, and predictable substitutions (
a→@,o→0) first, which is why “clever” tweaks of real words fail. - Brute force. They try every combination. This is the one that pure length defeats — each extra character can multiply the cracking time by orders of magnitude.
A practical system that works
You cannot manually invent and memorize a long, unique, random password for every account — and you should not try. The realistic system most security experts now recommend has three parts:
- Use a password manager. It generates and stores a long random password for every site, so you only ever remember one strong master passphrase.
- Make every password unique. Uniqueness, more than complexity, is what contains the damage when any single site is breached.
- Turn on two-factor authentication. Even a perfect password can leak; a second factor means a stolen password alone is not enough to get in.
For the few passwords you must memorize — your device login, your password-manager master key — use a long random passphrase. For everything else, let a generator do it. Our password generator creates long, high-entropy passwords with the character rules you choose, entirely in your browser so the result is never sent anywhere.