How to Create a Strong Password — And What Actually Makes One Secure

Most people understand that passwords should be "strong" but are fuzzy on what that actually means in practice. Is "P@ssw0rd1!" strong? (No — it follows an extremely predictable pattern that attackers know well.) Is "correct-horse-battery-staple" strong? (Yes — it is long, random, and easy to remember.) Understanding what makes passwords actually secure changes how you create and manage them for every account, tool, and system you are responsible for.

Generate a cryptographically secure random password instantly with our free Password Generator tool. To test how strong any existing password is, use our Password Strength Checker. For checking if your site has any security issues, our SSL Lookup and HTTP Headers Lookup tools identify configuration problems.

Password strength is fundamentally about how difficult it is to guess or crack by brute force — trying every possible combination. Two factors determine this: length and character set size. Everything else is secondary.

The number of possible passwords grows exponentially with length. A four-character password using only lowercase letters has 26 to the power of 4 possibilities = 456,976 combinations — crackable in milliseconds. A twelve-character lowercase password has 26 to the power of 12 = approximately 95 trillion combinations — much harder but crackable quickly with modern hardware. A sixteen-character password of mixed characters has roughly 10 to the power of 27 combinations — effectively uncrackable by brute force even with powerful hardware.

Modern password guidance from NIST (the US National Institute of Standards and Technology) focuses primarily on length. A passphrase of four random common words — like "purple-table-river-seven" — is typically longer and stronger than a shorter "complex" password with symbols, despite looking simpler.

Using a larger set of possible characters for each position multiplies the total possible combinations: Lowercase only (a-z): 26 characters per position Lowercase plus digits (a-z, 0-9): 36 characters per position Mixed case plus digits (a-z, A-Z, 0-9): 62 characters per position Mixed case plus digits plus symbols: typically 94+ characters per position

Adding uppercase, digits, and symbols to a long password significantly increases strength — but length still matters more. A 20-character lowercase password is stronger than an 8-character password with all character types.

Password strength calculations assume random character selection. A human-chosen password that meets length and character requirements but follows a predictable pattern is significantly weaker than its theoretical maximum. Common patterns attackers know and test first:

Leetspeak substitutions: "password" becomes "p@ssw0rd" — these are in every serious cracker's dictionary. Capital at the start, number or symbol at the end: Password1! follows this pattern exactly. Keyboard walks: qwerty, qweasdzxc, 1qaz2wsx. Names and dates: birthdates, pet names, partner names, favourite sports teams. Dictionary words with simple modifications: "Summer2024!" "Liverpool#1"

A truly random password from our Password Generator tool contains none of these patterns — it uses cryptographically secure random number generation, meaning each character is selected with no predictability whatsoever.

Understanding how attacks work helps you understand why certain password choices that feel strong are not.

Attackers start with known words, common passwords, and leaked password databases. The list of commonly used passwords includes millions of entries — not just simple ones like "123456" but also "Summer2023!", "P@ssword1", and "Monkey123." If your password appears in these lists, it can be cracked in seconds regardless of how complex it looks to you.

When a service suffers a data breach, stolen username-password combinations are tested against other services automatically. If you reuse passwords, a breach at any one service compromises all services where you use the same password. This is why password reuse is one of the most dangerous password habits — and why every account should have a unique password.

Systematically trying every possible combination. Against online login forms, rate limiting and lockouts make this slow or impossible. Against offline password hashes (obtained via database breach), modern GPUs can test billions of combinations per second. For offline brute force attacks, only a very long random password is safe.

The simplest attack: trick the user into entering their password on a fake login page. No amount of password complexity protects against phishing. The defences are: always verify the URL before entering credentials (our Safe URL Checker checks whether a URL is potentially malicious), use a password manager (which will not autofill on the wrong domain), and enable two-factor authentication.

The real problem with password security is human memory. People cannot remember dozens of long, random, unique passwords. This forces the choice between weak passwords that are memorable and strong passwords that are forgotten or reused. The solution is a password manager — software that generates and stores unique strong passwords for every account, requiring you to remember only one master password.

Popular password managers include Bitwarden (open source and free), 1Password, Dashlane, and KeePass. Browser built-in password managers (Google Chrome, Safari, Firefox) have improved significantly and are acceptable for most personal use cases. For business environments, dedicated password managers with team features, audit logs, and admin controls are worth the investment.

With a password manager: every site gets a unique, randomly generated password from our Password Generator or the password manager's built-in generator; you only need to remember one strong master password; and credential stuffing attacks from any individual breach do not affect other accounts. Check the strength of your master password with our Password Strength Checker.