← Back to Blog

How to Create Strong Passwords — And Why Most People Get It Wrong

Most people approach password security the wrong way. They swap an "E" for a "3", add a "!" at the end, and call it done. That approach made sense in 1995. In 2026, it offers almost no real protection against modern attacks.

This guide explains what actually makes a password strong, how security researchers measure it, and what you can do today to dramatically improve your account security — without having to memorise a string of random characters.

What Makes a Password Strong?

Password strength comes down to one concept: entropy. Entropy is a measure of unpredictability — how many possible combinations an attacker would need to try before guessing your password. It is usually expressed in bits.

The higher the entropy, the stronger the password. The two things that increase entropy are:

Of these two, length is far more powerful. A 20-character password made of only lowercase letters has higher entropy than a 10-character password using every type of character. This surprises most people.

Quick comparison: A 10-character password using all character types (uppercase + lowercase + numbers + symbols = ~95 characters) has about 65 bits of entropy. A 20-character lowercase-only password has about 94 bits. The longer password wins, even with a smaller character pool.

Why "Pa$$w0rd" Style Passwords Fail

The habit of substituting letters with numbers or symbols — writing "3" instead of "E", "0" instead of "O", "@" instead of "A" — is called leetspeak substitution. It was novel in the early internet era. Today, every serious password cracking tool includes these substitutions by default.

When an attacker runs a dictionary attack against a hashed password database, they do not just try "password". They try "p@ssw0rd", "P@$$w0rd", "P4ssword!", and thousands of other common variations automatically. Your clever substitution is already in their wordlist.

The same problem applies to adding a number or symbol at the end: "password1", "password123", "password!" are all predictable patterns that crackers test first.

What Actually Works: Length and Randomness

Two approaches genuinely improve password security:

1. Long random character strings. A password like x8#Kp2mQrL9!vZnT is strong because it is long and genuinely random. The catch is that it is nearly impossible to memorise, which is why a password manager is essential if you go this route.

2. Passphrases. A passphrase is a sequence of random words: correct-horse-battery-staple. This concept was famously illustrated by the webcomic XKCD in 2011 and remains one of the best pieces of password security advice ever published. Four or five random words give you a password with very high entropy that is also humanly memorable.

The key word is random. "ilovemydogmaxHe'sSoCute!" is not a strong passphrase — it is a predictable sentence. A truly strong passphrase uses words chosen randomly, not words that tell a story about your life.

Password Entropy at a Glance

Password type Example length Approx. entropy Verdict
Common word + numbers 10 chars ~10 bits effective Very weak
Mixed case + symbols 10 chars ~65 bits Moderate
Random characters 16 chars ~104 bits Strong
4-word passphrase ~28 chars ~77 bits (EFF wordlist) Strong + memorable
6-word passphrase ~42 chars ~77–116 bits Very strong

One Password Per Account

Even a perfectly strong password becomes a serious risk if you reuse it. The reason is credential stuffing: when a service gets breached and its password database leaks, attackers take those username/password pairs and automatically try them on hundreds of other sites. If you used the same password on a small forum in 2015 as on your email account today, that breach could compromise your email.

The only practical solution is a unique password for every account. This is only manageable with a password manager — a secure application that stores and auto-fills all your passwords so you only need to remember one master password.

How Password Generators Help

Generating a truly random password by hand is harder than it sounds. Humans are very bad at randomness — we gravitate toward patterns, avoid certain characters, and unconsciously make choices that reduce entropy. A proper password generator uses a cryptographically secure random number generator to eliminate that human bias entirely.

Modern browsers provide window.crypto.getRandomValues() — a Web Crypto API that produces cryptographically secure random values without relying on any server. A generator built on this API produces passwords that are genuinely random, and because it runs entirely in your browser, your generated passwords are never transmitted anywhere.

How Password Attacks Actually Work

Understanding how attackers try to crack passwords helps clarify what makes a password strong. There are two main approaches: dictionary attacks and brute-force attacks.

Dictionary attacks use lists of known passwords, common words, and predictable substitutions (replacing "a" with "@", for example). These lists contain hundreds of millions of entries and can test them in seconds. Any password based on real words, names, or phrases — even with substitutions — is vulnerable to dictionary attacks.

Brute-force attacks systematically try every possible combination of characters. The feasibility of a brute-force attack depends entirely on password length and character set. An 8-character password using only lowercase letters has about 200 billion possible combinations — testable in minutes with modern hardware. A 16-character random password using mixed case, numbers, and symbols has more combinations than there are atoms in the visible universe.

Using a Password Manager

The most practical way to maintain unique, strong passwords for every account is to use a password manager. A password manager stores all your passwords in an encrypted vault protected by a single strong master password. You only need to remember one password; the manager handles the rest.

For generating the passwords themselves, browser-based generators like KeyForge offer an additional layer of privacy: the generated password is never transmitted to any server, calculated in any cloud environment, or stored anywhere. You generate it, copy it into your password manager, and it exists only where you put it.

🔑 Try KeyForge — privotools' browser-based password generator. Generate random character passwords, multi-word passphrases, PINs, or memorable passwords with real-time entropy and crack-time estimates. Built on the Web Crypto API — your passwords never leave your browser.

Open KeyForge →

Quick Summary

Password security does not have to be complicated. The principles are simple: make it long, make it random, make it unique. Everything else is noise.

Frequently Asked Questions

How long should a strong password be?

Security experts generally recommend a minimum of 16 characters for important accounts, with longer being better. A 16-character random password is exponentially harder to crack than an 8-character one, regardless of character variety.

Are passphrases more secure than random passwords?

Passphrases — sequences of random words like "apple-tower-river-cloud" — can be highly secure if they contain enough words (4 or more) chosen randomly. They have the advantage of being easier to remember while still providing strong entropy against brute-force attacks.

Should I use the same password for multiple accounts?

No. Reusing passwords is one of the most dangerous password habits. If one site is breached and your password is exposed, attackers will try it on other sites immediately. Each account should have a unique password.

What makes a password generator secure?

A secure password generator uses a cryptographically secure random number generator (CSPRNG) rather than a predictable algorithm. It should also run locally in your browser, so the generated passwords are never transmitted over the network or stored on a server.

Is it safe to use an online password generator?

It depends on the tool. Browser-based generators like KeyForge generate passwords locally using your device's built-in cryptographic functions — the password never leaves your browser. Avoid tools that generate passwords server-side, as the generated passwords could theoretically be logged.