How to Create a Strong Password (That You'll Actually Use)
Creating a strong password sounds simple until you try to remember it. Here is a practical guide that covers what actually makes a password secure, what to avoid and how to handle the storage problem once you have generated something good.
What makes a password strong?
Three things determine how secure a password is: length, randomness and uniqueness. Of these, length has the most impact. A 20-character password made entirely of lowercase letters is harder to crack than an 8-character password with every possible symbol, because the sheer number of possible combinations grows exponentially with each added character.
Randomness matters because human brains are terrible at generating unpredictable sequences. When people try to create a "random" password, they unconsciously follow patterns — starting with a capital letter, ending with a number, using words or names they know. These patterns are well understood by attackers and are systematically tried first in brute-force attacks.
Uniqueness matters because data breaches happen constantly. If you reuse the same password across multiple accounts and one service is compromised, every account that shares that password is now at risk. This attack — called credential stuffing — is responsible for a huge proportion of account takeovers.
Step 1: Choose your length
The US National Institute of Standards and Technology (NIST) recommends passwords of at least 8 characters as an absolute minimum, but that guidance is widely considered outdated. In practice, 16 characters is a sensible minimum for most accounts. For anything high-value — email, banking, your password manager — aim for 20 characters or more.
To give you a sense of scale: an 8-character password using the full printable ASCII character set (94 characters) has roughly 6 quadrillion possible combinations. That sounds large, but a modern GPU can test billions of combinations per second. An 8-character password can fall in minutes. A 20-character password using the same character set has more possible combinations than there are atoms in the observable universe. It will not be cracked in your lifetime.
Step 2: Use a wide character set
Including uppercase letters, lowercase letters, numbers and symbols all at once significantly increases the pool of possible characters for each position in your password. A password that draws from 94 possible characters at each position is substantially harder to crack than one drawing from 26.
The main caveat: some websites restrict which characters you can use. Banking sites in particular often disallow symbols entirely, which is frustrating from a security perspective. In those cases, compensate with extra length.
Step 3: Avoid predictable patterns
Even a long password can be weak if it follows a predictable structure. Here are the patterns that attackers test first:
- Dictionary words in any language, including common substitutions like @ for a or 3 for e
- Names — your own name, family members, pets, sports teams or celebrities
- Dates — birthdays, anniversaries or years
- Keyboard walks — sequences like qwerty, 12345 or zxcvbn
- Anything from your social media profile
- The name of the service you are signing up to
The problem with all of these is that they are predictable enough to appear in wordlists that attackers use. A password like P@ssw0rd! follows every standard complexity rule and would still be cracked in seconds because it is in every attacker's dictionary.
Step 4: Generate it — do not invent it
The most reliable way to get a truly random password is to let a cryptographically secure generator create it for you. Human attempts at randomness consistently fail because our brains look for patterns and symmetry even when we are trying to avoid them.
A good password generator uses your device's built-in cryptographic randomness — the same standard used by banks and security software — rather than a weaker pseudo-random algorithm. The difference matters: a pseudo-random generator produces sequences that look random but can in theory be reproduced by someone who knows the starting conditions. A cryptographically secure generator cannot.
Generate a strong password instantly
Set your length, choose your character types and copy a cryptographically secure password in seconds. Nothing is sent to a server.
Open Password GeneratorStep 5: Store it safely
A 20-character random password like Kx#7mP!qL2nV@wRj9Tz& is not something you can memorise, and you should not try to. The correct solution is a password manager.
A password manager encrypts all your credentials and stores them behind a single master password. You only need to remember one thing — and you can use a memorable passphrase (four or five random words) for that. The manager handles everything else: generating, storing and filling in passwords across every site and device you use.
Well-regarded options include Bitwarden (free, open source), 1Password and Dashlane. Most browsers have built-in managers too, though standalone apps tend to offer better security controls and cross-device sync.
The quick version
If you want a single rule to remember: generate a random 20-character password using uppercase, lowercase, numbers and symbols, and save it in a password manager. Do that for every account, and you will be better protected than almost everyone on the internet.
This article is for general informational purposes. Password security requirements vary by context. For high-security environments, consult a qualified security professional.