How to create a strong password
Make it long, at least 16 characters. Make it random, which means a generator picks it, not your brain. Make it unique, one password per account, never reused. Then store it in a password manager so you never have to remember it. That is the entire method. Everything below is the how and the why.
The three properties that matter
A strong password has three properties: length, randomness, and uniqueness. Length sets the size of the search space an attacker has to cover. Randomness makes sure they actually have to cover all of it. Uniqueness limits the damage when one site leaks. Miss any one of the three and the other two cannot save you.
Strength is measured in bits of entropy, and every extra character multiplies the attacker's work. Using the standard attack model on this site (an offline attacker testing 10 billion guesses per second, cracking after half the keyspace on average), a random password built from letters, digits, and symbols holds up like this:
| Length | Entropy | Average time to crack |
|---|---|---|
| 8 characters | 51 bits | About 2 days |
| 10 characters | 64 bits | About 35 years |
| 12 characters | 77 bits | About 259,000 years |
| 16 characters | 103 bits | About 14 trillion years |
| 20 characters | 129 bits | Longer than the universe has existed |
Those numbers only hold if the password is genuinely random. People are terrible at random. We capitalize the first letter, put the digits and the exclamation mark at the end, and pick words we know. Cracking software tries exactly those patterns first, so a human invention like Summer2026! has a tiny fraction of the strength its length suggests. There is more on picking the right length in our guide on how long a password should be.
Uniqueness is the third leg. Attackers take username and password pairs from one breached site and replay them against hundreds of others, a technique called credential stuffing. If you reuse a password, a leak at some forum you forgot about becomes a working key to your email. One password per account, no exceptions, and a manager to remember them all.
Two good ways to make one
There are two reliable methods. Use a random character string from a generator for anything your password manager fills automatically, and use a passphrase of five or more random words for the few secrets you type by hand, such as the master password for the manager itself. Both beat anything a human invents.
For random strings, our free strong password generator builds them entirely in your browser with the Web Crypto API. It makes zero network requests during generation, which you can verify yourself in the DevTools network tab. Set it to 16 or 20 characters with all character types on and you get 103 to 129 bits of entropy.
For passphrases, the passphrase generator picks words from the EFF's curated wordlists. Each word from the short list adds about 10.3 bits, so five words gives 52 bits and six gives 62. A phrase like six random words is far easier to type on a phone or a TV remote than sixteen characters of line noise, which is exactly why it earns a place alongside the random string.
Step by step instructions
Both methods take under a minute. Follow the steps for whichever type you need, then save the result in your password manager before you do anything else. The most common failure mode is generating a good password and losing it two minutes later because it was never stored anywhere.
Option 1, a random password from a generator
- Open the strong password generator on our homepage.
- Set the length to 16 characters minimum. Use 20 if the site accepts it; longer costs you nothing when a manager does the typing.
- Keep uppercase, lowercase, digits, and symbols all switched on. If a site rejects symbols, use the no symbols generator and add a couple of characters of length instead.
- Click generate, then copy the result.
- Save it to your password manager first, then paste it into the site's password field.
- Let the manager autofill it from now on. Never retype it from memory, and never trim it down to something memorable.
Option 2, a passphrase of five or more words
- Open the passphrase generator.
- Set the word count to five as a floor. Use six or seven for anything that could face an offline attack, like a password manager vault or disk encryption.
- Regenerate as many times as you like. Every result is equally random, so rerolling costs you nothing.
- Pick a separator you can type easily on a phone keyboard, such as a period or a hyphen.
- Type it out three or four times to build muscle memory, and keep a copy in your manager as backup.
What the standards say
NIST recommends at least 15 characters for accounts protected by a password alone, with 8 as the floor when multi factor authentication is on. CISA recommends 16 or more characters, or a memorable passphrase of 4 to 7 unrelated words. Neither recommends forced symbol rules or scheduled password changes anymore.
The details are worth knowing. NIST SP 800-63B also tells sites to accept passwords of at least 64 characters, to drop composition rules (the mandatory uppercase, digit, and symbol checkboxes), and to stop forcing rotation unless there is evidence of compromise. Decades of forced quarterly changes taught people to append a 1 and increment it, which helped attackers more than it hurt them.
CISA's Secure Our World program pairs its length advice with four core behaviors: use a password manager, turn on multi factor authentication, recognize and report phishing, and keep software updated. A strong password is one leg of that table, not the whole thing.
Do this, not that
Let software do the generating and the remembering, add a second factor, and never reuse a password. Nearly everything that goes wrong with passwords traces back to a person inventing something memorable, or reusing one because remembering dozens of unique passwords is impossible without a manager.
| Do | Don't |
|---|---|
| Generate every password with a random generator | Invent passwords in your head; human choices follow patterns cracking tools try first |
| Store them all in a password manager | Reuse one password across sites; a single breach then opens every account |
| Turn on multi factor authentication wherever it exists | Build passwords from names, birthdays, pets, or anything on your social profiles |
| Use a unique password for every account | Use keyboard walks like qwerty, 1qaz2wsx, or asdfghjkl |
| Use a six word passphrase where you must type by hand | Swap letters for symbols in dictionary words; P@ssw0rd sits in every cracking wordlist |
| Test doubtful passwords with a strength checker | Ask an AI chatbot to make one up |
That last row surprises people, but chatbots are prediction engines, not dice. Ask fifty times and you'll see the same few passwords come back again and again, which is exactly what 2026 testing showed. We break down the findings in should you use AI to generate passwords. Short answer: no.
Worked examples
Numbers make the difference concrete. The table below shows realistic examples with their entropy and the average time to crack them offline at 10 billion guesses per second. Never use a password printed here or anywhere else public; appearing on a web page disqualifies it instantly. Generate your own instead.
| Example (never use these) | Type | Entropy | Average crack time |
|---|---|---|---|
x8Q!mz3Lf%9v | 12 random characters | 77 bits | About 259,000 years |
rT4$wq9;Kp2#nB7u | 16 random characters | 103 bits | About 14 trillion years |
lunar.snack.echo.crust.olive | 5 random words | 52 bits | About 2 days |
ivory.canal.dandy.stump.salsa.wasp | 6 random words | 62 bits | About 8 years |
Fluffy2026! | Human pattern | Far below its length suggests | Minutes; name plus year plus symbol is tried early |
One caveat on the passphrase rows: those times assume an offline attacker holding stolen password hashes. Online attacks against a rate limited login page run millions of times slower, so a five word passphrase remains fine for interactive logins. Reserve six or seven words for vaults and anything else an attacker could grind on at full speed.
What to do this week
Fix the accounts that matter most first: your email, your bank, your password manager's master password, and your main social accounts. Email comes first because whoever controls it can reset almost everything else. Give each one a fresh unique password this week and switch on multi factor authentication while you're in the settings.
That is an evening of work, maybe less, and it covers most of your real risk. After that, replace the rest of your passwords gradually as you log in to things. You don't need a perfect vault by Friday. You need the doors that guard everything else to be the strongest ones you own.