Passwords

How to Create a Strong Password (That You Can Actually Use)

By Marcus Hale · · 7 min read

A strong password is long, unpredictable, and used on only one account. If you remember nothing else: make it at least 16 characters, never reuse it, and let a password manager carry the load. That trio quietly defeats the attacks most people actually face.

Why length matters more than fancy symbols

For years we were taught that a "good" password needed a capital letter, a number, and a symbol. The intention was right, but the result was passwords like Summer2026! that look complex and are still easy to guess. Attackers know our habits: they try the common substitutions first.

What genuinely slows an attacker down is length. Every extra character multiplies the number of possibilities, so guessing becomes exponentially harder. A long string of even simple characters can be far tougher to crack than a short, "complex" one. That is why most modern security guidance now leads with length.

Rule of thumb: 16+ characters for everyday accounts, 20+ for the ones that protect everything else (your email and your banking).

Two ways to build one

1. The random string

The strongest option is a string of random characters, like v7$Kp2mQ!xZ9rLb4. You will not memorise it, and that is fine, because your password manager will. The easiest way to make one is to use a tool that generates true randomness rather than picking characters yourself. You can build one in seconds with our free password generator, which runs entirely in your browser so the result never touches a server.

2. The passphrase

If you do need to type or remember a password, a passphrase is your friend: four or more random, unrelated words strung together, such as copper-lantern-village-drift. Because it is long, it is strong; because it is words, it is typeable. The catch is the word "random." Skip famous quotes, song lyrics, and anything tied to you personally. A predictable phrase is a weak phrase.

The one rule that beats most attacks: never reuse

This is the habit that matters most. When you reuse a password, a single leak anywhere exposes every account that shares it. Attackers automate this with stolen lists, trying the same email-and-password combo across hundreds of sites. Give each account its own password and a breach in one place stays contained.

Of course, nobody can memorise dozens of unique 16-character strings. That is exactly the problem a password manager solves.

Use a password manager (the easy button)

A password manager is an encrypted vault that remembers your logins so you do not have to. You memorise one strong master password; it handles the rest, filling in unique passwords across your devices. Suddenly "long and unique for every account" stops being a chore and becomes automatic. If you are weighing it up, our explainer on whether password managers are safe and worth it walks through how they work and what to look for.

Add a second lock: two-factor authentication

A password is one lock; two-factor authentication (2FA) adds a second, independent one. Even if someone gets your password, they still cannot log in without the second step. Wherever you can, choose an authenticator app or a passkey over text-message codes, since SMS codes can be intercepted. Turn it on for your email first, because email is the master key that can reset everything else.

Test before you trust

Curious how your current passwords hold up? Paste one into our password strength analyser to see an estimate of how resistant it is, all processed locally in your browser. It is a quick way to spot the short, reused, or predictable passwords worth replacing first.

Your quick checklist

  1. Make every password 16+ characters (20+ for email and banking).
  2. Use a unique password for every account — no exceptions.
  3. Generate random strings, or use a long random-word passphrase.
  4. Store everything in a password manager.
  5. Turn on app-based 2FA or passkeys, starting with your email.

Frequently asked questions

How long should a strong password be?

Aim for at least 16 characters for everyday accounts and 20 or more for important ones like email and banking. Length is the single biggest factor in how hard a password is to crack.

Are passphrases as safe as random passwords?

A passphrase of four or more random, unrelated words can be very strong and far easier to type. The key word is random: avoid famous quotes, song lyrics, or predictable phrases.

Do I need to change my passwords regularly?

Routine forced changes are no longer recommended for most people. Change a password when you have a reason to: a breach notice, a shared device, or any sign the account may be exposed.

Is it safe to let my browser save passwords?

Built-in browser password storage is far better than reusing passwords, and modern browsers encrypt it. A dedicated password manager generally offers stronger protection, better sync, and breach alerts.

This article is general security education, not professional advice.