July 14, 2026
How to Generate a Strong Password (And Why Length Beats Complexity)
"Use a mix of uppercase, lowercase, numbers, and symbols" is the advice everyone's heard, and it's not wrong — but it's incomplete, and it's led a lot of people to create 8-character passwords packed with symbols that are actually weaker than a longer, simpler one.
The variable that matters most: length
Password strength against brute-force guessing comes down to entropy — how many possible combinations an attacker has to try. Adding one more character to a password multiplies the possible combinations by roughly the size of your character set. Adding one more *character set* (like symbols) only multiplies it by a much smaller factor. A 20-character password using only lowercase letters is harder to brute-force than an 8-character password using every character type available.
A practical way to think about it
- 12 characters, mixed types — the bare minimum for anything you care about today
- 16 characters, mixed types — a solid default for most accounts
- 20+ characters — for anything highly sensitive: your password manager's master password, financial accounts, crypto wallets
Why randomly generated beats human-created
Humans are bad at being random on purpose. Patterns like capitalizing the first letter, ending with a number, or substituting @ for a swap out predictable structure that attackers' cracking tools already account for. A password generated by a proper random source has none of that structure to exploit.
The randomness source actually matters
Not all "random" is equal. JavaScript's Math.random() is not cryptographically secure and is unsuitable for anything security-related — it's predictable enough in some environments that its output has been reverse-engineered in real attacks. A proper password generator uses crypto.getRandomValues(), the same class of randomness used for actual encryption keys.
The other half of the equation: never reuse a password across accounts, no matter how strong it is. A single breach anywhere reusing that password exposes every account tied to it — which is what password managers exist to solve.
Want to try this yourself?
Open Password Generator →