Most password advice people absorbed years ago — add a number, capitalize a letter, throw in a symbol — turns out to be only weakly correlated with how actually resistant a password is to modern cracking techniques. Meanwhile, data breach after data breach keeps revealing the same depressingly common passwords at the top of every leaked list, year after year, regardless of how many companies require a "special character."
This guide explains what genuinely makes a password hard to crack, why length matters more than most people think, and how to use our free Password Generator and Password Strength Checker to actually improve your security rather than just checking a compliance box.
Why Length Matters More Than Complexity
Password cracking, when it happens at scale, is almost always a brute-force or dictionary-based math problem: an attacker's software tries combinations until one works, and the total number of possible combinations (the "keyspace") determines how long that takes. Every additional character in a password multiplies the keyspace, while adding a few more symbol options to an already-short password barely moves the needle by comparison.
Concretely: an 8-character password using upper/lowercase letters, numbers, and symbols has roughly 6.6 quadrillion possible combinations. A 16-character password using only lowercase letters has roughly 26^16 combinations — a number so much larger it's not a fair comparison at all. This is the entire reasoning behind the modern security industry's shift toward recommending long passphrases over short, complex-looking passwords: length scales the keyspace exponentially, while symbol requirements scale it only marginally, and short complex passwords are also far more likely to follow predictable human patterns (capital letter first, number and symbol at the end) that cracking software specifically accounts for.
What Actually Makes a Password Weak
- Reuse across multiple accounts. This is arguably the single biggest real-world risk. If one service you use is breached and your password leaks, attackers immediately try that same password on your email, banking, and other accounts — a technique called credential stuffing that accounts for a huge share of real-world account takeovers.
- Personal information. Birthdays, pet names, children's names, and sports teams are all guessable from public social media activity and are specifically tested by sophisticated cracking attempts that target an individual rather than brute-forcing randomly.
- Common substitution patterns. Swapping "a" for "@" or "o" for "0" feels clever but is so universally common that cracking dictionaries already account for these substitutions as a standard step — "P@ssw0rd" is not meaningfully stronger than "Password" against real attack tools.
- Short length, regardless of complexity. As covered above, an 8-character password is now considered crackable within hours by dedicated hardware for many hash types, no matter how many symbol types it mixes in.
How to Generate a Genuinely Strong Password
The most reliable approach is to let a generator create something random rather than inventing one yourself — human-generated "random" passwords are measurably less random than people assume, since our brains default to familiar patterns even when trying to be unpredictable. Our Password Generator creates truly random passwords using your browser's cryptographically secure random number generator, with adjustable length and character set options. A few practical settings to use:
- For most accounts: 16+ characters, mixing upper/lowercase letters, numbers, and symbols where the site allows it.
- For your most critical accounts (primary email, password manager master password, banking): go even longer — 20-24 characters — since these accounts are often the gateway to resetting access everywhere else.
- For anything you need to type manually and remember rather than store in a password manager, consider a passphrase instead — four or five random, unrelated words strung together (e.g., "harbor-violet-kettle-marathon") are both easier to remember and harder to crack than a shorter string of random characters, purely due to total length.
Generate a strong password now
Free, instant, and created entirely in your browser — never transmitted anywhere.
🔒 Open Password GeneratorWhy You Should Check Password Strength Before Committing to One
Our Password Strength Checker evaluates a password against several factors beyond simple length — checking for common patterns, dictionary words, keyboard-adjacent sequences (like "qwerty" or "asdf"), and repeated characters — and gives you a realistic estimate of how resistant it actually is. This is especially useful for passwords you need to create manually for situations where a generated random string isn't practical, like a Wi-Fi password you'll need to read aloud to guests, or a shared team password that several people need to type from memory.
The Single Highest-Impact Security Habit: Using a Password Manager
Strong, unique, randomly-generated passwords for every account are only practical if you're not relying on memory for all of them. A password manager generates and stores a unique strong password for every single account behind one master password (or biometric unlock), which solves the reuse problem entirely — you genuinely don't need to remember dozens of different passwords if a manager is handling that for you. Combined with strong, unique passwords per account, this single habit eliminates the vast majority of real-world account compromise scenarios that stem from password reuse after an unrelated breach.
Two-Factor Authentication: The Second Layer
Even an excellent password benefits from a second layer of protection. Two-factor authentication (2FA) requires a second proof of identity beyond the password alone — typically a time-based code from an authenticator app, or increasingly a hardware security key. This means that even if your password is somehow compromised through a breach, phishing attempt, or malware, an attacker still can't access the account without also having your second factor. Enabling 2FA on email, banking, and any account that supports it is widely considered one of the single highest-leverage security improvements available to an ordinary person, and it's typically free and takes under five minutes to set up per account.
Special Cases: Shared, Temporary, and Family Passwords
Not every password fits the "generate it randomly, store it in a manager, never think about it again" model cleanly. A few common situations need slightly different handling: a guest Wi-Fi password that needs to be readable and easy to type by hand benefits from being a memorable passphrase rather than a fully random string; a temporary password issued to a new employee or contractor should be set to require a forced change on first login, so the temporary value never becomes the permanent one by default; and household streaming or shared service passwords, where multiple family members need access, are a reasonable case for a slightly more memorable passphrase rather than the maximum-entropy random string you'd use for a banking login, since the practical risk profile and consequences of compromise are different.
What a Strength Checker Can (and Can't) Tell You
A strength checker is a useful sanity check, but it has a fundamental limitation worth understanding: it can only evaluate a password's structure and check it against known common patterns and breached-password lists — it cannot know whether you've already reused this exact password somewhere else, and it cannot retroactively protect an account if the password was already compromised in a past breach you're unaware of. Strength checking and breach monitoring are complementary, not interchangeable — a strong, well-structured password that happens to already be sitting in a leaked database from an old account is still a risk that strength alone won't catch.
Recognizing When a Password Needs to Change Immediately
A few specific signals mean a password should be changed right away rather than at your next routine update: you receive a breach notification naming a service you use, you notice unfamiliar login activity or account changes you didn't make, you've ever shared the password with someone else for a one-time purpose (a contractor, a family member helping with a setup), or you discover you've been reusing the same password across multiple accounts. Acting immediately in these situations — rather than waiting — closes the window of opportunity for credential stuffing attacks that specifically rely on speed before victims realize a breach has happened.
Putting It All Together
None of these individual practices need to feel overwhelming if you build them in gradually rather than trying to fix everything at once: start with your email and password manager (since these protect everything else), enable two-factor authentication on both, then work through other accounts over time, replacing reused or weak passwords with generated, unique ones as you go. The combination of unique strong passwords, a password manager to make that practical, and two-factor authentication on critical accounts addresses the overwhelming majority of how ordinary accounts actually get compromised in practice — far more effectively than any single complex password ever could on its own.