How to Create a Strong Password: Rules, Length, and Examples
Most password advice is outdated. Mandatory special characters and quarterly resets actually make passwords weaker by encouraging predictable patterns. This guide covers what genuinely makes a password secure, and how to use the password generator to create and manage strong passwords across all your accounts.
What Makes a Password Strong?
Password strength is fundamentally about entropy — the number of possible values an attacker must try to crack it. Entropy is determined by two factors: the size of the character set and the length.
- Lowercase only (26 chars): 26 possibilities per character
- Mixed case + digits (62 chars): 62 possibilities per character
- Full printable ASCII (~95 chars): 95 possibilities per character
Length compounds these possibilities exponentially. A 12-character password using 95 characters has 95¹² possible values — roughly 5.4 × 10²³. A 16-character password has 95¹⁶ — roughly 4.4 × 10³¹. That is a billion-billion times harder to crack, from just 4 extra characters.
Password Strength vs Length: Which Matters More?
| Password length | Character set | Crack time (offline, fast GPU) | Verdict |
|---|---|---|---|
| 8 chars | Lowercase only | Under 1 minute | Insecure |
| 8 chars | Mixed case + digits + symbols | Hours to days | Weak |
| 12 chars | Mixed case + digits | Weeks | Marginal |
| 16 chars | Mixed case + digits + symbols | Millions of years | Strong |
| 20 chars | Any character set | Effectively uncrackable | Very strong |
| 24+ chars | Any character set | Heat death of the universe | Overkill (fine) |
The practical conclusion: 16 characters with letters and digits beats an 8-character password with every special character you can type. Aim for 16+ characters minimum for important accounts (banking, email, work logins).
Why Common Password Advice Backfires
Mandatory special characters
When forced to add special characters, most people append them predictably: Password1!, Summer2024@. Attackers know this. A rule-based cracker tries these transformations automatically, making the "complex" password no harder than a simple one.
Password expiry policies
The UK NCSC and US NIST both now advise against forced periodic password rotation unless there is evidence of compromise. Mandatory rotation causes users to increment numbers (Password1 → Password2 → Password3) or make minimal changes, which is more predictable than keeping a strong password indefinitely.
Reusing passwords
Credential stuffing attacks use leaked username/password combinations from one breach to access accounts on other sites. If you reuse passwords, a breach at any one site compromises every other account where you used the same credentials. This is how most real-world account takeovers happen — not from brute-force attacks.
How to Manage Strong, Unique Passwords
The only practical way to have a unique, strong password for every account is a password manager. Tools like Bitwarden (free, open source), 1Password, or KeePass store all passwords encrypted behind a single master password. You only need to remember one strong passphrase; the manager handles the rest.
To create strong passwords for each account:
- Open the password generator.
- Set length to 16–20 characters.
- Enable uppercase, lowercase, digits, and symbols.
- Generate and copy directly into your password manager.
- Never reuse the same password across sites.
When Not to Use Random Passwords
Random passwords are best managed by a password manager. For the master password itself — or for passwords you need to type without a manager (e.g. a device login) — a passphrase of four or more unrelated words is both strong and memorable. For example: "correct-horse-battery-staple" is 28 characters, impossible to predict, and easier to type than "K#9mPz@4wQ!2xR$7".
Generate a Strong Password Free
16–64 characters, all character sets, 100% client-side — your password never leaves your browser.
Open Password Generator