How to Create a Strong Password (and Remember It)
What actually makes a password strong
Password strength comes down to two things: length and unpredictability. A 16-character random password is exponentially harder to crack than an 8-character one, regardless of how many special characters the shorter password contains.
The most common passwords are still 123456, password, and variations of people's names and birthdays. These are weak not because they lack symbols, but because they are predictable.
The problem with password rules
Many websites require passwords like: at least 8 characters, one uppercase, one number, one symbol. These rules lead people to create easily-guessable patterns. A password like Password1! is technically compliant but trivially cracked.
A better approach: use a random password generator and a password manager. The password manager remembers it so you do not have to.
What a strong password looks like
A strong randomly generated password uses a mix of uppercase letters, lowercase letters, numbers, and symbols with no recognisable pattern or word. Aim for at least 16 characters. The exact characters matter less than the length and randomness.
Recommended minimum lengths by account type
Email accounts: 20 characters minimum — your email is the master key to all other accounts. Banking: 16 characters using all character types. Social media: 14 characters, unique per platform. Forums or low-stakes accounts: 12 characters, still unique per site.
Strategies that actually work
Use a random password generator plus a password manager. Generate a different random password for every site and store them all in a password manager. You only remember one master password.
Use a passphrase. Choose four or more unrelated random words. A long passphrase is both strong and memorable — much better than a short complex password.
Never reuse passwords. One data breach at any site exposes every account that shares the same password.
FAQ
How long should a password be? At least 12 characters for low-value accounts, 16 or more for anything important. Longer is always stronger.
Are password managers safe? Yes — reputable password managers encrypt your vault locally before syncing. The risk of reusing weak passwords far outweighs the risk of using a trusted password manager.
Should I change my passwords regularly? Only when there is a reason — a breach, suspicious activity, or a shared account. Frequent forced changes lead to weaker passwords, not stronger ones.
You cannot remember it — and you should not try. That is what a password manager is for.
How to use the password generator
1. Open the Password Generator tool. 2. Set the length to at least 16 characters. Longer is better. 3. Include uppercase letters, lowercase letters, numbers, and symbols. 4. Generate a password and copy it immediately into your password manager.
Never write passwords on paper or store them in plain text files.
The password manager approach
A password manager (like 1Password, Bitwarden, or the built-in one in your browser) stores all your passwords encrypted behind one strong master password. You only need to remember one password — and the manager generates and fills unique, random passwords for every site.
This solves the biggest real-world problem: most people reuse passwords across sites. When one site's database is breached, attackers try the same credentials everywhere. Unique passwords per site prevent this.
Minimum password requirements by use case
- - Email: 20 characters minimum (your email is the master key — make it long)
- - Banking: 16 characters using all character types
- - Social media: 14 characters, unique per platform
- - Forums/low-stakes: 12 characters, still unique per site