Password Security
Strong Password Ideas That Actually Work
Most password advice tells you to "use uppercase, lowercase, numbers, and symbols" — then leaves you staring at a blank field with no idea what to actually type. Here is what genuinely strong looks like, what to avoid, and how to generate something that actually protects you.
What makes a password genuinely strong
Password strength comes from two things: length and unpredictability. A 20-character password made of only lowercase letters is statistically stronger than an 8-character password with every character type included. Each additional character does not add to the difficulty linearly — it multiplies it.
Unpredictability means the password has no recognisable pattern, no real words, no personal information, and no relationship to you or the site it protects. Attackers do not try every possible combination — they use dictionaries, pattern lists, and leaked databases. Anything predictable falls quickly. Anything random and long takes centuries.
Passwords that feel strong but aren't
These examples look reasonable at a glance but would be cracked in seconds by modern software:
Summer2024!Season + year + symbol is one of the most-tried patterns in every cracking dictionary.
Password123The most commonly used password globally, year after year. Cracked in milliseconds.
John1990!Name + birth year is personal information findable on LinkedIn or Facebook.
iloveyouAppears in every word list attackers use. No symbols, short, common phrase.
Qwerty123!Keyboard walks are well-known and tried early. The exclamation mark at the end adds nothing.
Two approaches that genuinely work
1. Fully random — use a password manager
Generate a completely random string of 16–20 characters and store it in a password manager. You never need to remember it — the manager fills it in. This is the strongest approach and the one security professionals universally recommend for accounts you access from your own devices.
xK#9mP!2wQ@vL5j → stored in manager ✓2. Transformed personal word — for accounts you type manually
Start from a word only you would associate with this account — not your name or pet, but something obscure. Apply consistent personal rules: capitalise specific letters, swap vowels for symbols, add a random suffix. The output looks random to a cracking tool while remaining decodable to you.
telescope → T3l3sc0pE#94 ✓The rule that matters more than any other
Every account needs a different password. This is non-negotiable. A site you signed up for years ago with the same password as your email could be breached at any time, and the first thing attackers do with a leaked credential list is try every entry on Gmail, PayPal, and banking sites. If your passwords are unique, a breach on one site stays contained to that site.
If managing unique passwords for dozens of accounts feels unmanageable, that is exactly what password managers are designed to solve. Bitwarden is free and open-source. 1Password is popular. Google's built-in manager works well if you are in the Google ecosystem. Use any of them.
Generate a strong password right now
Random for maximum security. Memorable if you need to type it. Free, no sign-up.
Generate a Strong Password →Frequently asked questions
What is an example of a truly strong password?
A truly strong password looks something like 'xK#9mP!2wQ@vL5j' — 15+ characters, no real words, all character types, completely random. You won't be able to memorise it, which is fine — it should live in a password manager. For accounts you need to type manually, a transformed personal word like 'T3l3sc0pE#94' (based on 'telescope') is a workable compromise.
How many characters should a strong password have?
Security experts recommend at least 16 characters for important accounts. Length is the single most important factor — a 16-character password with only lowercase letters is stronger than an 8-character password with every character type. Each additional character multiplies the difficulty of a brute-force attack exponentially.
Are passphrases stronger than random passwords?
A passphrase of four or five truly random words (like 'correct-horse-battery-staple') is considered very strong and easier to memorise than a random character string. The key word is 'random' — the words must be chosen randomly, not picked from a phrase you know, which would be predictable and far weaker.
Should I use symbols in my password?
Yes, but their placement matters. Putting a symbol at the very end (Password1!) is so common that cracking tools try it automatically. Symbols are most effective when placed inside the password at unpredictable positions, or when applied as substitutions within words — but only if those substitutions are not the obvious ones (a→@, e→3) that are already in every dictionary.
Is a password manager safe to use?
Yes — reputable password managers like Bitwarden, 1Password, Dashlane, and Google's built-in manager are considered safe. They encrypt your passwords locally before storing them, meaning even the company cannot see your passwords. The risk of using a password manager is far lower than the risk of reusing weak passwords across sites.
What characters make a password hardest to crack?
The most effective characters are those that expand the character set an attacker must search through. Using uppercase, lowercase, numbers, and special symbols (especially uncommon ones like ^, ~, {, or |) significantly increases the difficulty. However, length ultimately matters more than character variety — 20 lowercase characters beats 8 characters of every type.