The Quick Answer
A secure password is one that an attacker cannot guess or brute-force in a reasonable time. The two things that matter most: randomness and length.
A randomly generated 16-character password using mixed case, digits, and symbols has roughly 105 bits of entropy. At 1 billion guesses per second, that would take longer than the age of the universe to crack by brute force. A 6-word random passphrase achieves comparable strength and is easier to remember.
The single most important rule: never reuse passwords across accounts. One breach exposes every account sharing that password.
What "Secure" Actually Means
A password is secure when:
- It cannot be guessed from personal information, common patterns, or dictionary words
- It resists brute-force attacks because there are too many possible combinations to try
- It is unique to one account, so a breach elsewhere does not compromise it
Security is not about adding an exclamation mark to the end of a word. It is about mathematical unpredictability.
Why Human-Chosen Passwords Fail
People are bad at being random. Studies of leaked password databases consistently show the same patterns:
- Dictionary words with minor modifications ("Sunshine1!", "Dragon2024")
- Keyboard walks ("qwerty", "1qaz2wsx", "zxcvbn")
- Personal information (pet names, birth years, anniversaries)
- Predictable substitutions ("P@ssw0rd", "h3llo", "s3cur1ty")
- Sequential incrementing ("Password1", "Password2", "Password3")
Attackers know these patterns. Modern cracking tools try billions of variations of common words, substitutions, and patterns before resorting to pure brute force. A password like Summer2025! technically uses uppercase, lowercase, digits, and symbols — but it follows such a common template that it falls in seconds to a dictionary attack with rules.
The fix is simple: let a machine generate your passwords.
Random Generation: How It Works
A properly built password generator uses a cryptographically secure random number generator (CSPRNG). In browsers, this is the Web Crypto API (crypto.getRandomValues), which draws randomness from your operating system's entropy pool — mouse movements, disk timings, hardware noise.
The process:
- Define the character set (e.g., a-z, A-Z, 0-9, symbols → 94 characters)
- For each position in the password, pick a random character from the set
- Each character is chosen independently with equal probability
This produces passwords with maximum entropy for their length. No patterns, no bias, no predictability.
Why "Random" Means Truly Random
Humans asked to "pick a random number between 1 and 10" overwhelmingly choose 7. Humans asked to create a "random" password overwhelmingly put the capital letter first and the number at the end.
A CSPRNG has no such biases. Every character at every position has exactly equal probability. That is what makes the entropy calculation valid.
Password Generator
Create cryptographically secure random passwords and passphrases. Choose length, character types, and see entropy estimates. Runs entirely in your browser — nothing is sent to any server.
Generate a PasswordRandom Passwords vs. Passphrases
There are two main approaches to generating secure passwords. Both work. They have different trade-offs.
Random Character Passwords
Example: k$9Vx#mQ2pL!nR4w
- Strength per character: High (~6.6 bits per character with full charset)
- Memorability: Low — you will not remember this
- Best for: Accounts managed by a password manager
- Recommended length: 16+ characters
Random Word Passphrases
Example: timber knack plume oyster crank maple
- Strength per word: ~12.9 bits per word (with a 7,776-word Diceware list)
- Memorability: Much better — you can visualize a story
- Best for: Master passwords, full-disk encryption, anything you type manually
- Recommended length: 5–6 words minimum
Strength Comparison
| Method | Configuration | Entropy |
|---|---|---|
| Random characters | 12 chars, all types | ~79 bits |
| Random characters | 16 chars, all types | ~105 bits |
| Random passphrase | 4 words (7,776 list) | ~52 bits |
| Random passphrase | 5 words (7,776 list) | ~65 bits |
| Random passphrase | 6 words (7,776 list) | ~78 bits |
For most accounts behind a password manager, a 16-character random password is ideal. For anything you need to type or memorize, a 6-word passphrase gives equivalent strength.
How Long Should a Password Be?
There is no universal answer, but these guidelines cover common scenarios:
| Use Case | Minimum Length | Recommended |
|---|---|---|
| Low-value accounts (forums, newsletters) | 12 characters | 14+ characters |
| Standard accounts (email, social media) | 14 characters | 16+ characters |
| High-value accounts (banking, primary email) | 16 characters | 20+ characters or 6-word passphrase |
| Master password (password manager) | 6 random words | 6–7 random words |
| Encryption (disk, file, backup) | 20 characters | 7+ word passphrase |
These assume the password is truly random. If you introduce any pattern, the effective strength drops.
The Password Manager Approach
The practical solution to password security in 2026 is straightforward:
- Use a password manager to store all your passwords
- Generate a unique random password for every account (16+ characters)
- Memorize one strong master passphrase (6+ random words)
- Enable two-factor authentication on every account that supports it
This eliminates the two biggest password vulnerabilities:
- Reuse — every password is unique, so one breach stays contained
- Weakness — every password is randomly generated, so none can be guessed
You never need to see, remember, or type most of your passwords. The manager handles it.
Common Mistakes That Weaken Passwords
1. Reusing the Same Password
If you use the same password on 30 accounts and one gets breached, attackers will try that password (and variations) on every major service within hours. This is called credential stuffing, and it is the most common cause of account compromise.
2. Using Predictable Patterns
These feel random to humans but are trivial for cracking tools:
- Capital at the start, number and symbol at the end (
Butterfly42!) - Leetspeak substitutions (
p@$$w0rd) - Appending the year (
securepassword2026) - Using the site name in the password (
facebook_john123)
3. Making Passwords "Complex" but Short
kR#9 has uppercase, lowercase, a symbol, and a digit. It has four character types but only ~26 bits of entropy — crackable in under a second. Length matters more than character variety.
4. Writing Passwords on Sticky Notes
Physical security matters. A password on a monitor is visible to anyone who walks by or appears in a photo.
5. Sharing Passwords Over Insecure Channels
Sending a password in a text message or email means it is stored in plain text on multiple servers indefinitely. If you must share a credential, use a password manager's sharing feature or a self-destructing link.
6. Ignoring Two-Factor Authentication
Even a perfect password can be phished. Two-factor authentication (ideally app-based or hardware key, not SMS) means a stolen password alone is not enough to access the account.
How Passwords Get Compromised
Understanding the attack methods helps explain why the rules above exist.
Brute Force
Try every possible combination. Effective against short passwords. A 6-character password with all types (~40 bits) falls in under 10 minutes at 1 billion guesses per second. A 16-character password (~105 bits) is computationally infeasible.
Dictionary Attack
Try common words, names, phrases, and leaked passwords. This is why "Sunshine2025!" fails — it matches a known pattern. Attackers use lists of billions of previously leaked passwords.
Credential Stuffing
Take email/password pairs from one breach and try them on other services. Works because most people reuse passwords. The defense: unique passwords everywhere.
Phishing
Trick the user into entering their password on a fake site. No amount of password complexity helps here — only two-factor authentication and vigilance protect against phishing.
Database Breach
The service stores passwords incorrectly (weak hashing or plain text). When breached, all passwords are exposed. You cannot control this, but unique passwords limit the damage to one account.
Testing Password Strength
After generating a password, you can verify its theoretical strength by checking its entropy. The formula:
entropy (bits) = length × log₂(charset size)
A quick reference:
- 26 lowercase letters: 4.7 bits per character
- 52 mixed case: 5.7 bits per character
- 62 mixed case + digits: 6.0 bits per character
- 94 all printable ASCII: 6.6 bits per character
At 80+ bits of entropy, brute-force cracking becomes impractical with current technology. At 100+ bits, it is infeasible even with projected advances.
Remember: these numbers assume truly random generation. Human-chosen passwords have far less effective entropy than the formula suggests.
Password Strength Checker
See the entropy, estimated crack time, and character analysis of any password. Nothing is stored or transmitted.
Check Password StrengthFrequently Asked Questions
How do I create a secure password?
Use a password generator that relies on a cryptographically secure random number generator. Set the length to at least 16 characters with mixed character types (uppercase, lowercase, digits, symbols). Alternatively, generate a random passphrase of 5–6 words from a large word list. Do not create passwords by hand — human choices are predictable.
What makes a password "strong"?
Two factors: randomness and length. A strong password has high entropy, meaning it was generated from a process that an attacker cannot predict or narrow down. A 16-character truly random password with all character types has about 105 bits of entropy, which is resistant to brute-force attacks for the foreseeable future.
Is a longer password always better?
Yes, assuming equal randomness. Each additional character multiplies the number of possible combinations. A 16-character random password is roughly 10,000 times harder to crack than a 14-character random password using the same character set. Length is the single most effective way to increase password strength.
Are passphrases more secure than random passwords?
A passphrase and a random password can have equal entropy — it depends on the configuration. A 6-word passphrase from a 7,776-word list has about 78 bits of entropy, similar to a 12-character random password with all character types. The advantage of passphrases is memorability, which makes them better for master passwords and encryption keys.
How often should I change my passwords?
Current guidance from NIST (the US National Institute of Standards and Technology) recommends against forced periodic password changes. Change a password when: (1) you suspect it has been compromised, (2) the service reports a breach, or (3) you shared it and the need for sharing has ended. Frequent mandatory changes lead to weaker passwords because people choose predictable increments.
Is it safe to generate passwords in a browser?
Yes, if the generator runs entirely client-side using the Web Crypto API. This means the password is generated on your device using your operating system's cryptographic random number generator. No password is sent to any server. You can verify this by checking the network tab in your browser's developer tools.
Should I use special characters in my password?
Special characters increase the character set size, which increases entropy per character. But adding one symbol to a short password helps less than adding two more characters. The most effective approach: use all character types and make the password long. If a service restricts which characters are allowed, compensate by increasing length.
What is the most common way passwords get hacked?
Credential stuffing — using leaked email/password pairs from one breach to access other accounts. This works because most people reuse passwords. The second most common method is phishing, where users are tricked into entering credentials on fake websites. Pure brute-force cracking of long random passwords is rare because it is computationally expensive.
Can two-factor authentication replace a strong password?
No. Two-factor authentication adds a second layer of defense, but the password remains the first layer. A weak password with 2FA is still vulnerable if the second factor is compromised (e.g., SIM swapping for SMS codes). Use both: a strong unique password plus 2FA.
How do password managers work?
A password manager encrypts all your passwords with one master password. When you need a password, the manager decrypts and fills it automatically. Your passwords are stored in an encrypted vault — without the master password, the data is unreadable. This lets you use a unique random password for every account without memorizing any of them.
What is credential stuffing?
Credential stuffing is an automated attack where stolen username/password pairs from one data breach are tested against other websites. Attackers use bots to try millions of combinations across popular services. It succeeds because an estimated 65% of people reuse passwords across multiple accounts.
Is writing passwords down ever acceptable?
A physical notebook stored in a secure location (locked drawer, safe) is better than reusing the same weak password everywhere. However, a password manager is more practical — it is encrypted, portable, and can generate passwords for you. Never write passwords on sticky notes attached to monitors or in unprotected digital files.
Key Takeaways
- Use a generator. Human-created passwords are predictable. Let a CSPRNG do the work.
- Make it long. 16 characters minimum for random passwords. 6 words minimum for passphrases.
- Never reuse. Every account gets a unique password. No exceptions.
- Use a password manager. Memorize one master passphrase. Let the manager handle everything else.
- Enable two-factor authentication. A password alone is not enough for important accounts.
- Do not change passwords on a schedule. Change them when there is a reason to — compromise, breach, or revoked access.
Related Tools
- Password Generator — Generate cryptographically secure random passwords and passphrases
- Password Strength Checker — Analyze entropy and estimated crack time
- Hash Generator — See how passwords are hashed with MD5, SHA-256, SHA-512
- Bcrypt Generator — Generate bcrypt hashes for password storage