๐ Passwords & Secrets
How to Create a Strong Password (and Why Length Wins)
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 Most password advice is stuck in 2005: "use a capital letter, a number and a symbol." That guidance produces passwords that are hard for humans to remember and easy for computers to guess. Let's replace it with what actually works.
Strength = entropy, not complexity
The real measure of a password's strength is entropy โ the number of equally likely possibilities an attacker would have to try. Entropy grows with both the size of the character set and, more powerfully, the length. A short password full of symbols can have less entropy than a long one of plain words, because length multiplies the search space far faster than swapping a couple of characters.
P@ssw0rd! looks complex but is one of the first things any cracker
tries โ it follows a predictable pattern. A longer, genuinely random string (or a
string of random words) is exponentially harder to guess.
Why length wins
Each character you add multiplies the number of possible passwords. Going from 8 to 16 characters doesn't double the difficulty โ it squares it. That's why modern guidance, including NIST's, prioritises length: aim for at least 16 characters for important accounts, more where you can.
- ~12 characters, mixed types โ 78 bits of entropy โ fine for most accounts.
- ~16 characters โ 100+ bits โ strong.
- 20+ characters โ 128+ bits โ effectively unbreakable by brute force.
Passphrases: strong and memorable
A passphrase โ several random words strung together, like
correct horse battery staple โ can be both very strong and easy to
recall. The key word is random: words you choose yourself, or a famous
quote, are predictable. Randomly selected words (e.g. via diceware) give real
entropy. Passphrases shine for the few passwords you must memorise, like your device
login or your password manager's master password.
The one rule that matters most: never reuse
Even a strong password is dangerous if you use it in more than one place. When any site is breached, attackers take the leaked email/password pairs and try them everywhere else โ an attack called credential stuffing. A unique password per site means one breach can't cascade into your email, bank and work accounts.
Use a password manager
Nobody can remember hundreds of unique random passwords โ and you shouldn't try. A password manager generates a strong, unique password for every site and stores them encrypted behind one master password (or passkey). You memorise exactly one strong passphrase; the manager handles the rest. This single habit eliminates reuse and weak passwords in one move.
Add MFA
Multi-factor authentication (MFA) requires a second factor โ an app code or a hardware key โ on top of your password. Even if a password is stolen or guessed, MFA usually stops the attacker. Enable it on your email, banking and any account that supports it; phishing-resistant hardware keys are the gold standard.
Put it into practice
Generate a strong, random password with our password generator, then see how it scores โ and how much better it is than a "complex" short one โ with the password strength checker. If you run IT for a team, codify these ideas with the password policy generator.
Frequently asked questions
What makes a password strong?
High entropy โ driven mostly by length, plus a varied character set and genuine randomness. A long random password or passphrase beats a short 'complex' one. Uniqueness per site matters just as much.
How long should my password be?
At least 16 characters for important accounts. Each added character multiplies the difficulty of guessing, so length adds strength faster than adding a single symbol.
Are passphrases secure?
Yes, if the words are randomly chosen. A string of several random words can be both very strong and easy to remember. Avoid quotes or self-chosen words, which are predictable.
Try the related tools
- Password Generator Create strong, random passwords with custom length and character sets โ generated securely in your browser.
- Password Strength & Entropy Checker Measure a password's entropy in bits and estimate how long it would take to crack.
- Password Policy Generator Turn your password rules into a written policy plus Linux PAM and Windows config.
Related guides
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.
- What Is a UUID? v4 vs v7 Explained What a UUID actually guarantees, why collisions are a non-issue, and why v7 is quietly replacing v4 for database keys.
- What Is HTTP Basic Authentication? The simplest way to password-protect a page โ and its big caveat. How Basic Auth works, why HTTPS is mandatory, and where it fits.