Toolerax logoToolerax
·8 min read

How to Create a Strong Password

Almost everything most people believe about strong passwords is out of date. The rules drilled into us for twenty years — swap letters for symbols, change it every 90 days, cram in a capital and a number — turn out to make passwords harder for humans and barely harder for computers. This guide explains what actually makes a password strong, why the old advice failed, and the one habit that matters more than the password itself.

The only thing that really matters: length

Password strength is measured in entropy — essentially, how many guesses an attacker would need. Entropy grows from two things: the size of the character set, and the length.

The critical fact is that length grows entropy exponentially, while complexity grows it only linearly. Every extra character multiplies the number of possible passwords; adding symbols to the alphabet merely increases the base being multiplied.

Compare these two:

  • P@ssw0rd!— 9 characters, every character class, looks “strong,” and satisfies almost any corporate password policy. It is cracked essentially instantly.
  • correct horse battery staple — lowercase letters and spaces only, no symbols, no numbers. It would take an infeasible amount of time to crack.

The second one is vastly stronger, easy to remember, and would be rejected by many password forms for lacking a number. That is the absurdity of the old rules in one example.

Why “P@ssw0rd!” fools nobody

People assume that substituting @ for a and 0 for o makes a word unrecognisable. It does not — not to software.

Attackers do not guess passwords character by character. They run dictionary attacks against lists of real, leaked passwords, and they apply mangling rules that try every common substitution automatically: capitalise the first letter, append a year, swap a→@, e→3, s→$, add an exclamation mark at the end.

These rules were written precisely because everybody does the same tricks. Your clever substitution is in the attacker's standard playbook. Meanwhile, it made the password genuinely harder for you to remember — a pure loss on both sides.

The passphrase approach

For passwords you must actually memorise — your device login, your password manager's master password — use a passphrase: four or five random words strung together.

The word randomis doing all the work. “I love my dog Buster” is a sentence, not a passphrase — it is grammatical, personal and guessable. You want words with no relationship to each other and no connection to you: velvet-cactus-19-tunnel-mop.

The reliable way to get genuine randomness is to let a tool pick the words, because humans are famously bad at being random. Left to ourselves we reach for meaningful words, familiar names and recognisable patterns — exactly the things attackers try first.

The real danger is reuse, not weakness

Here is the thing almost nobody internalises: the most common way accounts get compromised is not password cracking at all. It is reuse.

The attack, called credential stuffing, is depressingly simple. Some website you signed up to years ago gets breached, and its list of emails and passwords ends up for sale. Attackers then take those pairs and try them, automatically, on hundreds of other sites — your email, your bank, your work login.

If you reused that password, they are already in. It does not matter how strong it was. A 30-character monster reused across ten sites is less safe than ten mediocre passwords used once each, because a single breach anywhere unlocks everything.

Every account needs its own unique password. This, more than any complexity rule, is the thing that actually protects you.

Which means you need a password manager

Unique passwords for every account is impossible to do by memory, and that is not a personal failing — it is arithmetic. Nobody memorises a hundred random strings.

A password manager solves it: it generates a long random password for every site, stores them encrypted, and fills them in for you. You memorise exactly one strong passphrase — the master password — and it protects everything else.

The common objection is “isn't that a single point of failure?” Technically yes, but consider the honest alternative: reusing passwords, or writing them in a notes file. A password manager is dramatically safer than what nearly everyone does instead. The vault is encrypted with your master password, which the provider never sees.

Why forced 90-day rotation backfired

For years, organisations forced everyone to change their password every 90 days. Security agencies — including NIST and the UK's NCSC — now explicitly recommend against it.

The reason is human behaviour. Forced to change constantly, people do not invent a fresh strong password each time. They make a small predictable edit: Summer2025! becomes Summer2026!, then Autumn2026!. Attackers know this pattern perfectly well. Rotation produced weaker, more predictable passwords, and taught people to resent security.

The modern advice: use a long unique password, and change it when there is a reason — a breach, or a suspicion of compromise. Not on a calendar.

Turn on two-factor authentication

Even a perfect password can be phished. Two-factor authentication (2FA) means a stolen password alone is not enough to get in.

Prefer an authenticator app or a hardware key over SMS codes. SMS can be intercepted through SIM-swapping, where an attacker persuades your mobile carrier to move your number to their device. It is still far better than nothing — but an app is better still.

Common mistakes to avoid

  • Reusing passwords. The big one. Everything else is a footnote next to this.
  • Using personal information — birthdays, pet names, your street. All of it is findable.
  • Trusting character substitutions to disguise a dictionary word.
  • Keyboard patterns like qwerty or 1qaz2wsx. They look random and are in every cracking dictionary.
  • Sharing passwords over email or chat, where they sit in plain text forever.
  • Ignoring a breach notification. If a service tells you it was breached, change that password — and anywhere you reused it.

Frequently asked questions

How long should a password be? At least 12 characters if it is randomly generated; 16 or more is better. For a memorised passphrase, use four or five random words.

Do I still need symbols and numbers? They help, but far less than length. A long password of only lowercase letters beats a short one with every character class.

Has my password been leaked? Breach-checking services let you find out. If it has, change it everywhere you used it — and stop reusing it.

Is writing passwords down really so bad? A notebook kept physically secure at home is safer than reusing one password everywhere. It is not ideal, but it beats the common alternative.

Generate a strong password now

Use our Password Generator to create long, genuinely random passwords in your browser — nothing is transmitted, and nothing is stored. Curious how sites store passwords safely? Read about hashing in MD5 vs SHA-256, or try the Hash Generator.

Tools mentioned in this article