Most people's passwords fall into one of two categories: so simple they're easy to crack, or so complex they're written on a sticky note under the keyboard.
There's a better way.
What Makes a Password Strong?
A strong password has three properties:
- Length — at least 16 characters. Every extra character multiplies the time it takes to brute-force it exponentially.
- Randomness — no dictionary words, names, or keyboard patterns like
qwerty123. - Uniqueness — a different password for every account. If one site gets breached, the others stay safe.
A password like correcthorsebatterystaple is memorable but still weak by modern standards because it uses real words. A randomly generated string like xK#9mP2$vL7nQ4wR is far stronger — but impossible to memorize.
How to Generate One
Use the Password Generator on this site. It creates cryptographically random passwords directly in your browser — nothing is sent to a server.
Recommended settings:
- Length: 16–20 characters
- Include: uppercase, lowercase, numbers, symbols
- Exclude ambiguous characters if you ever need to type it manually (avoids confusing
0andO,land1)
The Real Problem: What Do You Do With It?
Here's where most people give up. A 20-character random password is uncrackable but also untypeable from memory. The solution isn't to make it simpler — it's to stop memorizing passwords altogether.
A password manager stores every password in an encrypted vault. You remember one strong master password; it remembers everything else. When you log into a site, it autofills the credentials.
1Password is the most trusted option. It works across every device and browser, generates passwords for you, and alerts you when any of your saved passwords appear in a data breach.
After generating your password above, store it in 1Password before you use it anywhere.
How Long Would It Take to Crack Yours?
A 12-character random password with mixed characters takes an estimated centuries to brute-force with current hardware. A 16-character one pushes that to billions of years.
By contrast, password123 is cracked in under a second.
The math is entirely on your side — as long as you use a generator instead of making something up.
What "Entropy" Actually Means
Security tools describe password strength in bits of entropy. The number represents how much randomness the password contains — specifically, how many guesses an attacker would need to make before trying every possible password of that type.
A coin flip has 1 bit of entropy (two possibilities). A six-sided die roll has about 2.6 bits. A lowercase letter chosen randomly from 26 options has about 4.7 bits. Each additional character of a certain type adds that many bits.
The practical numbers:
- A random 8-character password (mixed case, numbers, symbols) has roughly 52 bits of entropy
- 12 characters: ~78 bits
- 16 characters: ~104 bits
- 20 characters: ~130 bits
Security researchers generally consider 80+ bits adequate for most purposes, and 100+ bits strong enough to be practically uncrackable by any foreseeable computing advancement. At 16 characters of random mixed characters, you are comfortably past that threshold.
This is why length matters more than complexity. Adding a capital letter and a symbol to an 8-character password moves the needle less than adding 4 characters to a 12-character one.
How Password Managers Actually Work
A password manager is not just a spreadsheet with a lock on it. Understanding the mechanism is worth a few minutes, because it explains why the "one master password" model is genuinely secure rather than a single point of failure.
When you create a password manager account with a master password, the manager never sees or stores your master password. Instead, it derives an encryption key from it using a one-way mathematical function. Your passwords are encrypted locally with that key and then synced to the cloud in encrypted form. The server stores only the encrypted blob — without the master password, it is computationally worthless.
This architecture is called zero-knowledge encryption. The company cannot see your passwords even if they wanted to, and a breach of their servers exposes only encrypted data that cannot be used without your master password.
The implication: your master password must be both memorable and strong. A passphrase — four or more random words — is the right choice. "StapleBatteryHorseTrombone" is 26 characters, easy to type, and has roughly 100 bits of entropy. Write it down once on paper, store it somewhere physically safe, and memorize it through regular use.
A Password Alone Is Not Enough
A strong, unique password protects against brute-force attacks and credential stuffing. It does not protect against phishing (where you hand over your credentials to a fake site), session hijacking (where an attacker steals an active login cookie), or social engineering.
Two-factor authentication (2FA) adds a second layer that protects against all three. Even if an attacker has your exact password, they cannot log in without the second factor.
Use 2FA on every account that offers it. Priority order: email (because it resets everything else), financial accounts, work systems, anything with payment information saved. For the second factor, prefer an authenticator app (Google Authenticator, Authy) over SMS — phone numbers can be hijacked through SIM swapping, which undermines SMS-based 2FA.
Frequently Asked Questions
How long should a strong password be?
At least 16 characters. Every additional character multiplies crack time exponentially — a 16-character random password takes billions of years to brute-force with current hardware. 20 characters is a better target for high-value accounts like email and banking.
What makes a randomly generated password better than one I make up?
Human-chosen passwords follow predictable patterns — dictionary words, keyboard sequences, birth years, names. Attackers exploit those patterns with dictionary attacks that crack common passwords in seconds. A cryptographically random password has no pattern to exploit, regardless of length.
Does the Password Generator send my passwords to a server?
No. The Password Generator runs entirely in your browser using a cryptographically secure random source. The generated passwords are never transmitted anywhere. Nothing is logged or stored remotely.
What is a passphrase and when should I use one?
A passphrase uses four or more random words strung together — for example, 'staple-horse-battery-correct'. At 25+ characters it is as strong as a 16-character random password and far easier to memorize. Use a passphrase for anything you need to type from memory, like a password manager master password or a device login.
Should I use the same password on multiple sites?
No. If one site gets breached and you reused a password, attackers automatically try that password against every major service. A password manager makes unique passwords practical — you remember one strong master password, and it handles a unique one for every site.
What should I do if a site I use gets breached?
Change the password for that site immediately. If you reused it anywhere else, change it on every affected site. Check whether your email appears in known breach databases using a service like Have I Been Pwned. If you keep a log of which accounts still need updated passwords, the Markdown Notes editor stores that checklist locally in your browser — nothing is sent to a server.
Quick Checklist
- [ ] Generated a random password of 16+ characters
- [ ] Enabled uppercase, lowercase, numbers, and symbols
- [ ] Saved it in a password manager before using it
- [ ] Using a different password on every account
If you check all four boxes, your accounts are more secure than 95% of internet users.