HomeArticlesHow ToGenerate a Strong Password
HOW TO

How to Generate a Strong Password

Learn what makes a password strong — length, character sets, uniqueness — and how to generate one instantly with a free online password generator.

Updated 2026-06-26

Free calculators used in this guide

Password GeneratorPassphrase GeneratorPIN Generator

Overview

A strong password is not about memorable substitutions — swapping letters for numbers, capitalising the first character, or adding an exclamation mark at the end. These patterns are well-known to attackers and are among the first rules applied in modern cracking tools. A genuinely strong password is long, random, and unique to each account.

This guide explains what actually makes a password strong (the mathematics behind it), walks through the two main approaches (random character strings versus passphrases), and covers the infrastructure you need to make strong, unique passwords practical across hundreds of accounts. Use the Password Generator to create a secure password immediately, or continue reading to understand the reasoning behind best practices.

What You Need

  • A password manager (essential — described below)
  • Access to a cryptographically secure password generator
  • 2FA (two-factor authentication) enabled on your most critical accounts

Step 1: Understand What Makes a Password Strong

Password strength is measured in entropy — specifically, how many possible combinations an attacker would need to try before finding your password by brute force.

The two variables that determine strength are:

  1. Length — more characters means exponentially more combinations
  2. Character set size — using more types of characters means more possibilities per position

The relationship is: Number of combinations = charset_size ^ length

A 8-character password using only lowercase letters (26 characters): 26^8 = 208 billion combinations. Powerful hardware can crack this in hours.

A 16-character password using uppercase, lowercase, digits, and symbols (95 characters): 95^16 = a number with 31 digits. Cracking by brute force would require billions of years with any conceivable current technology.

The practical rule: length matters more than complexity. A 20-character lowercase-only password (26^20 = 19 septillion combinations) is stronger than a 10-character password using all character types (95^10 = 59 quadrillion combinations).

That said, using all character types alongside sufficient length provides the best combination of strength and resistance to rule-based attacks (which target predictable patterns in human-chosen passwords).

Step 2: Choose Between a Random Password and a Passphrase

There are two valid approaches to generating a strong credential:

Random character passwords draw from the full character set (uppercase, lowercase, digits, symbols) to maximise entropy per character. A 16-character random password like kR9@mQz#4Np&Wv2L has approximately 105 bits of entropy. This is the best choice for most accounts — especially those stored in a password manager where you never need to remember or type the password manually.

Passphrases are sequences of random words — for example, village-marble-frozen-trumpet. Generated from the Diceware word list (7,776 words), each word contributes approximately 12.9 bits of entropy. A four-word passphrase provides ~51.7 bits; a five-word passphrase provides ~64.6 bits. Passphrases are easier to type on mobile, easier to remember, and are an excellent choice for your password manager's master password (which you must memorise) or for accounts you enter manually. Use the Passphrase Generator to create one.

Both approaches are significantly stronger than any human-invented password.

Step 3: Generate a Password

Use a cryptographically secure generator — not a manual process, not keyboard mashing, and not a pattern you invent yourself. Human beings are poor random number generators; patterns leak in without conscious awareness.

For a standard strong password:

  • Minimum 16 characters
  • Include all four character types (uppercase, lowercase, digits, symbols)
  • No repeating characters (some generators can enforce this)

For a PIN or numeric code: Use the PIN Generator to create a truly random numeric PIN, avoiding common patterns like 1234, 0000, or year-based combinations.

The Password Generator on this site uses the browser's built-in crypto.getRandomValues() API — a cryptographically secure pseudorandom number generator (CSPRNG) that produces statistically random output. Never use a password generator that runs on a server and transmits your password over a network.

One critical rule: generate a different password for every account. The password for your email address should be different from your bank, which should be different from your social media, which should be different from every other service you use. This is the most important single password security practice.

Step 4: Store It in a Password Manager

The reason most people reuse passwords is that memorising dozens of unique 16-character random strings is impossible. A password manager solves this completely — it is the single technology change that most meaningfully improves password security for ordinary users.

A password manager:

  • Generates strong unique passwords for each new account
  • Stores them in an encrypted vault that only you can access
  • Auto-fills credentials in your browser and on mobile
  • Alerts you if a stored password appears in a known data breach

Your vault is encrypted with your master password using strong encryption (typically AES-256). No one — including the password manager company — can read your passwords. The master password is the only one you need to remember or create manually (use a five-word passphrase for this).

Well-regarded options include Bitwarden (open source, strong free tier), 1Password, and Dashlane. All three support cross-device sync, browser extensions, and mobile apps.

Step 5: Enable 2FA Alongside Your Password

A strong password alone is not sufficient for your most critical accounts. Phishing attacks, malware keyloggers, and social engineering can compromise credentials regardless of their strength. Two-factor authentication (2FA) requires a second piece of evidence — something you have, not just something you know — to complete a login.

2FA options by security level (strongest to weakest):

  1. Hardware security keys (FIDO2/WebAuthn) — physical devices (YubiKey, Google Titan) that are phishing-proof. The browser cryptographically verifies the site before the key responds.
  2. Authenticator apps (TOTP) — time-based one-time codes from apps like Google Authenticator, Authy, or your password manager. Resistant to SIM-swap attacks.
  3. SMS one-time codes — vulnerable to SIM-swap attacks but still substantially better than no 2FA.

Enable 2FA on every account that supports it, starting with: your email account (highest priority — email is used to reset every other password), your password manager, your bank and investment accounts, and your primary social media accounts.

Common Mistakes to Avoid

Reusing passwords. This is the most dangerous and most common mistake. Data breaches expose billions of credentials every year. If you reuse a password across sites, a breach at any one of them exposes your account everywhere else. There is no such thing as a "safe" site to reuse passwords on.

Making slight modifications to old passwords. Password1Password2Password! is a known attack pattern. Rule-based cracking tools try every common variation of dictionary words and previously breached passwords. Modifying an old password does not make it meaningfully stronger.

Using personal information. Your name, partner's name, pet's name, birthday, anniversary, address, or favourite sports team are the first things attackers try. This information is often publicly available on social media, making personalised password guessing a practical attack vector.

Writing passwords in plain text. A sticky note, a text file named "passwords.txt", or a spreadsheet is not acceptable storage. If someone accesses your computer, phone, or cloud storage, all passwords are immediately compromised. Use a password manager's encrypted vault exclusively.

Trusting browser-saved passwords without a master password. Most browser password stores are not encrypted with a user-specific master password by default. Anyone with access to your unlocked computer can view all saved passwords via browser settings. A dedicated password manager provides stronger protection.

Formula & Methodology

Password entropy: Entropy (bits) = length × log₂(charset_size)

Common entropy values:

Configuration Entropy
8 chars, lowercase only 37.6 bits
12 chars, uppercase + lowercase 68.5 bits
16 chars, all ASCII printable (95 chars) 105 bits
20 chars, all ASCII printable (95 chars) 131 bits
4-word Diceware passphrase 51.7 bits
5-word Diceware passphrase 64.6 bits
6-word Diceware passphrase 77.5 bits

Security researchers generally consider 80+ bits of entropy to be computationally infeasible to crack by brute force with current technology. A 16-character password using the full printable ASCII character set (105 bits) provides substantial headroom above this threshold.

The Password Generator defaults to 16 characters using all four character classes, producing passwords in the 100+ bit entropy range suitable for all ordinary account types.

Related Articles

BEST OF

Best Password Generators Online 2026

GUIDE

API Security Guide — Keys, Auth & Best Practices

HOW TO

How to Decode a JWT Token

COMPARISON

MD5 vs SHA-256 vs bcrypt — Hashing Algorithm Comparison

GUIDE

Security & Identity Validators: Passwords, Barcodes & Crypto Addresses