How to Create a Strong Password (or Passphrase)

Updated 2026-06-21

A strong password is long and genuinely random — not a word with a number stuck on the end. The most reliable way to create one is to let a cryptographic generator produce it, then store it in a password manager so you never have to memorize it. The goal is high entropy: enough unpredictability that brute-force guessing is hopeless.

What makes a password strong

Strength comes from two things multiplied together: how many possible characters you draw from, and how many you use. That combination is measured in bits of entropy — each extra bit doubles the number of guesses an attacker must try.

• Length beats complexity. Going from 8 to 16 characters helps far more than adding one symbol to a short password.
• Randomness is non-negotiable. Names, dates, keyboard walks (qwerty) and l33t-speak swaps are all in the cracking dictionaries.
• Aim for entropy, not rules. Roughly 70+ bits is solid for an important account; 100+ bits is comfortably future-proof.

A truly random 16-character password mixing uppercase, lowercase, digits and symbols carries about 100 bits — uncrackable by brute force with today's hardware.

Passwords vs passphrases

A passphrase strings together several random words, like four or five unrelated dictionary words. It reaches the same entropy as a dense password but is far easier to type and, when you must, to remember.

• Password: great for accounts you let a manager store and autofill. Maximize length, use all character types.
• Passphrase: great when you have to type it by hand — a device login, a disk-encryption key, a master password. Each random word adds roughly 12–13 bits, so a five-word phrase clears 60 bits and a six-word phrase clears 75.

The key word is random: the words must be chosen by chance, not picked by you, or the entropy collapses.

How to generate one safely

1. Open the Password & Passphrase Gen.
2. Choose password or passphrase.
3. Set the length (or word count) — longer is stronger.
4. For a password, toggle which character sets to include: uppercase, lowercase, digits, symbols.
5. Generate, then copy the result straight into the account or your password manager.

Because every secret is built with the browser's cryptographic random source, the output is suitable for real security use — not the predictable pseudo-randomness of a casual script.

Why generate offline

Never use a website that emails you a password or generates one on its server — at that point a stranger's machine has seen your secret. This tool runs 100% in your browser: nothing is uploaded, there is no account, and the generated string never leaves your device. You can even disconnect from the network first and it still works.

A few habits make a generated password actually protective:

• Use a unique one per account, so a single breach can't unlock the rest.
• Store them in a password manager rather than a notes file or your memory.
• Pair them with two-factor authentication wherever it's offered.

Ready to lock down an account? Generate a fresh secret now with the Password & Passphrase Gen.

Try the Password & Passphrase Gen →