Weak passwords are still the number one cause of account breaches. Here’s what makes a password strong and how to generate ones you can actually manage.
What makes a password strong?
A strong password has three properties:
- Length — At least 16 characters. Every additional character exponentially increases the combinations
- Randomness — No dictionary words, patterns, or personal information
- Character variety — Mix of uppercase, lowercase, numbers, and symbols
How long does it take to crack?
Assuming a fast cracking setup (10 billion guesses per second):
| Password | Time to crack |
|---|---|
password | Instant |
P@ssw0rd | Minutes |
Xk9#mL2p (8 chars) | Hours |
Xk9#mL2pQw4! (12 chars) | Centuries |
Xk9#mL2pQw4!nR7& (16 chars) | Longer than the universe |
Length matters far more than complexity. A 20-character password using only lowercase letters is stronger than an 8-character password with every character type.
Common password mistakes
Using personal information
- Birthdays, pet names, addresses — all easily found on social media
fluffy2024is not a password, it’s an invitation
Pattern-based passwords
qwerty,123456,password1— these are in every cracking dictionary- Keyboard patterns (
zxcvbn,1qaz2wsx) are also well-known
Reusing passwords
- When one site gets breached, attackers try your credentials everywhere else
- This is called credential stuffing and it’s extremely common
Simple substitutions
p@$$w0rdis not clever. Crackers test common substitutions (a→@,s→$,o→0) automatically
What to actually do
1. Use a password manager
Store all your passwords in an encrypted vault. You only need to remember one master password. Popular options: Bitwarden (free/open-source), 1Password, KeePass.
2. Generate random passwords
Let a generator create passwords for you. A random 20-character string is stronger than anything you’d come up with.
3. Use passphrases for memorable passwords
Need to type it manually? Use a passphrase — 4-6 random words:
correct-horse-battery-staple
timber-plaza-motion-crystal-sevenPassphrases are long (strong) and memorable. But the words must be truly random, not a meaningful sentence.
4. Enable two-factor authentication (2FA)
Even a strong password can be phished. 2FA adds a second layer. Use an authenticator app (not SMS).
Password requirements are often wrong
Many sites require exactly:
- One uppercase letter
- One number
- One special character
- 8-12 character limit
This actually reduces the search space because attackers know the constraints. A long random password without artificial constraints is stronger.
Generating passwords
A browser-based password generator creates cryptographically random passwords using the Web Crypto API (crypto.getRandomValues). This is the same randomness source used by security software.
Customize length, character types, and generate in bulk. No passwords are stored or transmitted — everything happens in your browser.