How to Create Strong Passwords and Passphrases

Most password advice is outdated. Forcing one uppercase letter, one digit, and one symbol produces predictable patterns like Password1! that crackers handle in seconds. What actually matters is unpredictability, and the cheapest way to buy unpredictability is length.

Password strength is just entropy

Entropy measures how many guesses an attacker needs on average. For a randomly generated password it is log2(poolSize) × length:

• Lowercase only (26 chars): ~4.7 bits per character.
• Lower + upper + digits (62 chars): ~5.95 bits per character.
• Full ASCII with symbols (~94 chars): ~6.55 bits per character.

A 16-character password from the 94-character set is about 105 bits — far stronger than an 8-character password from the same set (~52 bits). Adding length adds entropy faster and more reliably than adding character classes.

Why length beats complexity

Complexity rules constrain the human, not the attacker. People satisfy them in habitual ways, so password crackers prioritize exactly those patterns. A long, randomly generated string has no pattern to exploit. The takeaway: aim for 16+ characters for everyday accounts and 24+ for high-value ones, generated randomly rather than chosen by hand.

The case for passphrases

A passphrase is several random words joined together, like anchor-velvet-quartz-meteor-ripple. Each word drawn from a list of ~2,000 contributes about 11 bits, so a five-word passphrase carries roughly 55–65 bits and is far easier to type and remember than a random string of the same strength. Passphrases are ideal for values a human must enter, such as a disk-encryption password or a password-manager master password.

Practical rules

• Use a unique password per site. Reuse is the single biggest real-world risk — one breach should not unlock everything.
• Use a password manager. It removes the need to memorize, so you can use maximum-length random passwords everywhere.
• Exclude ambiguous characters (O/0, l/1) when a password may be read aloud or typed manually.
• Turn on multi-factor authentication. Even a perfect password benefits from a second factor.

Generate strong passwords now

The Passwords tab lets you set length, choose character groups, require each selected group, exclude ambiguous or problematic characters, and switch to word-based passphrases. It also shows an estimated entropy figure so you can see strength as you adjust the settings — all generated locally with the browser's secure random source.