How to Create a Strong Password (and Why Length Beats Complexity)
For years we were told a strong password meant something like P@ssw0rd! — short, but
sprinkled with symbols and numbers. It turns out that advice was mostly wrong. Modern password cracking
is fast and patient, and the single biggest factor in whether a password survives an attack is not how
"weird" it looks, but how long it is. This guide explains why, using the concept of
entropy, and gives you a practical method to create passwords that are both strong and memorable.
How attackers actually crack passwords
When a website is breached, attackers usually steal a database of hashed passwords, not plain text. They then run those hashes through cracking software that guesses billions of candidates per second on modern hardware. They do not guess randomly — they start with:
- Lists of the most common passwords (
123456,password,qwerty) - Dictionary words and names
- Predictable "complexity" tricks like swapping
a→@ando→0 - Passwords leaked in previous breaches
This is why P@ssw0rd! is weak despite having a symbol, a number, and mixed case: it is a
dictionary word with the exact substitutions every cracking tool already tries first.
Entropy: the real measure of strength
Password strength is measured in entropy, expressed in bits. Each additional bit of entropy doubles the number of guesses an attacker must make. Entropy depends on two things: how many possible characters you draw from (the "pool"), and how many characters long the password is.
entropy ≈ length × log2(pool size)
The key insight is that length multiplies entropy while adding character types only grows the pool a little. Going from 8 to 16 characters does far more for your security than adding a couple of symbols to an 8-character password.
| Password | Length | Rough entropy | Strength |
|---|---|---|---|
P@ssw0rd! |
9 | Low (predictable) | Weak |
kT9$mLp2 |
8 | ~52 bits | Okay |
correct-horse-battery-staple |
28 | ~80+ bits | Strong |
| 16 random characters | 16 | ~100+ bits | Very strong |
Why passphrases work so well
A passphrase is several random words strung together, such as violet-anchor-tulip-cobra.
Because it is long, it has high entropy. Because it is made of real words, it is far easier to remember
than a random string. The strength comes from the number of words chosen at random, not
from clever spelling. Four or five genuinely random words give you a password that is both strong and
human-friendly.
The important word is random. "MyDogRex2020" is technically a passphrase but a weak one, because it is personal information an attacker can find or guess. Random selection is what creates real entropy.
A practical recipe for strong passwords
- Aim for length first. Use at least 12 characters; 16 or more for important accounts.
- Make it unique per site. Reusing one password means a single breach unlocks everything.
- Prefer random over clever. A random string or a random passphrase beats a "smart" pattern every time.
- Use a password manager. It generates and stores long random passwords so you only memorize one strong master passphrase.
- Turn on two-factor authentication (2FA). Even a perfect password benefits from a second factor.
The honest truth is that no human should be inventing and memorizing dozens of unique 16-character passwords. Let a generator do the hard part. The browser-based Password Generator creates strong random passwords with adjustable length and character sets, entirely on your device.
Mistakes that quietly weaken your passwords
- Reusing passwords across sites — the most common cause of account takeovers
- Basing passwords on personal info — names, birthdays, pets, sports teams
- Tiny variations like
Summer2024→Summer2025 - Predictable substitutions —
@fora,0foro - Keyboard walks like
qwertyor1qaz2wsx
Do password rules like "must contain a symbol" help?
A little, but they are widely overrated and often counterproductive. Forced-complexity rules push people
toward predictable patterns (capital at the start, a 1! at the end). Modern guidance from
security organizations now emphasizes length and screening against known-breached passwords
over rigid composition rules. Length is the lever that matters most.
Generate strong passwords and keys
These tools run entirely in your browser, so generated values never leave your device:
Conclusion
A strong password is mostly a long password that you have never used anywhere else and did not base on anything guessable. Favor length over decoration, use random passphrases when you need to remember something, lean on a password manager for everything else, and switch on two-factor authentication. Those few habits defeat the overwhelming majority of real-world password attacks.
Frequently Asked Questions
Is a longer password really stronger than a complex one?
Yes. Length increases entropy exponentially, while adding a symbol or number only grows the character pool slightly. A long passphrase usually beats a short, complex password.
How long should a password be?
At least 12 characters for everyday accounts, and 16 or more for important ones like email, banking, and your password manager's master password.
Are passphrases safe to use?
Yes, as long as the words are chosen randomly. Several random words are both high-entropy and easy to remember; avoid personal or guessable phrases.
Should I change my passwords regularly?
Only change a password if you suspect it was exposed in a breach. Forced frequent changes tend to produce weaker, predictable variations.
Is it safe to use an online password generator?
Use one that runs entirely in your browser so values are never sent to a server. The ToolzYard Password Generator works locally on your device.