How to Create a Strong Password (2026)
By Rui Barreira · Last updated: 18 June 2026
A strong password is one an attacker cannot guess, brute-force, or find in a leaked database. The three ingredients are length, randomness, and uniqueness per account. Understanding why each matters makes the rules easy to apply — and harder to rationalize your way out of.
What actually makes a password strong
Password strength is measured in bits of entropy — the log base-2 of the number of possible combinations. More bits means more guesses required to crack it. The dominant factor is length, not complexity. A 20-character lowercase password has more entropy than a 10-character password mixing uppercase, numbers, and symbols. Complexity substitutions (@ for a, 3 for e) add almost nothing because they are in every attacker wordlist.
| Length | Character set | Entropy (bits) | Offline crack time (modern GPU) |
|---|---|---|---|
| 8 chars | Lowercase only | ~38 bits | Seconds |
| 8 chars | Mixed case + numbers + symbols | ~52 bits | Minutes to hours |
| 12 chars | Mixed case + numbers + symbols | ~79 bits | Centuries |
| 16 chars | Mixed case + numbers + symbols | ~105 bits | Effectively impossible |
| 20 chars | Mixed case + numbers + symbols | ~131 bits | Beyond foreseeable hardware |
The practical threshold: 16 characters minimum for any account that matters. 20+ for your email, bank, and password manager master password. These are not arbitrary numbers — at 105+ bits of entropy, offline brute-force is computationally infeasible with current and near-future hardware.
How to create one in practice
Use a password manager with a built-in generator, or a client-side tool that never sends the result over the network. The process is four steps: generate a random password of 16–20 characters using all character sets, copy it immediately into your password manager, save the entry, and never reuse it on another account. That last point matters as much as the strength itself — credential stuffing attacks take passwords leaked from one breach and try them across other services automatically. A strong reused password collapses the moment any site that holds it is breached.
If a site caps password length below 16 characters or forbids symbols, use the full length it allows and include as many character classes as it permits. Constraining services impose lower security on their users; work within their limits but maximise entropy within those constraints.
Use the Password Strength Checker to measure the entropy of any candidate password before committing to it.
Passphrases as an alternative
A passphrase is four or more random dictionary words chosen by a CSPRNG (cryptographically secure pseudo-random number generator), not by you. "correct horse battery staple" is the canonical example from xkcd. Four words from a 7,776-word Diceware list gives ~51 bits of entropy — comparable to a 10-character random password. Five words reach ~64 bits, six words ~77 bits. Passphrases are the right choice for passwords you must memorise (your password manager master password, your device login). For everything else stored in the manager, use random character strings — they are shorter for equivalent entropy and faster to type when needed.
Frequently Asked Questions
- Is this tool free?
- Yes — completely free, no signup required. All processing happens in your browser.
- Does the tool work offline?
- Once loaded, most features work without an internet connection since everything runs client-side.