Most passwords people use break in seconds. Not because the attacker "guesses," but because they try millions of combinations per second and because we reuse the same keys everywhere. This guide shows what really makes a password strong and how to generate and manage yours without losing your mind.
What makes a password strong
Password strength is measured in entropy: how many possible combinations exist. And entropy depends on two things:
- Length: the most important factor. Each extra character multiplies the combinations.
- Variety: mixing lowercase, uppercase, numbers and symbols increases the range per character.
An 8-character password, even with symbols, is now considered weak. The reasonable minimum is 12-16 characters, and the more, the better.
The killer mistake: reusing passwords
Even if your password is strong, if you use it on 10 sites and one suffers a breach, attackers will automatically try it on the other nine (this is called credential stuffing). The golden rule: a different password for each service.
And here's the real problem: nobody can remember 100 unique, long passwords. The solution isn't memory, it's a system.
The two strategies that work
1. Generator + password manager
Generate random, long passwords with a tool, and store them in a manager (the browser's or a dedicated one). You only remember the master password; the manager remembers the rest. It's the most secure and convenient option.
You can generate strong passwords free with the password generator on this site, which creates them with the browser's cryptographic API (crypto), without sending them to any server.
2. Passphrases
If you need a password you'll actually type and remember (like the manager's master one), use a passphrase: several random words together, for example horse-battery-staple-correct. They're long (lots of entropy) and easier to remember than a jumble of symbols.
Why generating passwords locally matters
If a website generates your password on its server, that password has traveled across the internet before you use it. A generator that runs in your browser creates the key locally with a cryptographically secure random number generator (crypto.getRandomValues), and it never leaves your device. For something as sensitive as a password, this is essential.
Common mistakes to avoid
- Obvious substitutions:
P@ssw0rdfools no one; crackers know all those tricks. - Personal data: names, birth dates, pets. The first thing tried.
- Keyboard patterns:
qwerty,123456,asdfgh. - Short passwords with "complexity": 8 characters with symbols is still too few. Length rules.
- Reusing the manager's master elsewhere. That one goes in one place only: the manager.
Check strength before using it
A good generator shows the estimated strength and the approximate time it would take to crack by brute force. Use it as a guide: if a password would break in hours or days, make it longer.
Frequently asked questions
How often should I change my passwords? Only if you suspect a breach. Changing them randomly every month worsens security (people end up using weak variants).
Is the browser's manager safe? Yes, modern ones encrypt passwords. A dedicated manager adds features, but the browser's is already far better than reusing keys.
Do symbols matter? They help, but length matters more. A long password without symbols can be stronger than a short one with them.
Are my passwords uploaded when generated? No, if you use a local generator. Everything is created in your browser.
Generate strong, unique passwords free with the password generator, using the browser's cryptographic API and without your key ever leaving your device.