How to Create a Strong Password (2026 Guide)

Most people vastly underestimate what makes a password strong. Complexity rules like "add a capital letter and a symbol" have been the dominant advice for two decades, yet NIST SP 800-63B (2017, updated 2024) explicitly recommends against mandatory complexity requirements in favor of length and uniqueness. The intuition is simple: a longer password drawn from a random process has far more possible values than a short one dressed up with symbols.

Step 1: Choose Length — 16 Characters or More

Every character you add to a password multiplies the number of possible values by the size of the character set. A password drawn from 95 printable ASCII characters has 9516 ≈ 4.4 × 1031 possible values at 16 characters. At 12 characters that same character set yields roughly 5.4 × 1023 — more than 80 billion times fewer possibilities.

Modern offline attacks using GPUs can test tens of billions of guesses per second against weak hashing algorithms (MD5, SHA-1, NTLM). Against bcrypt or Argon2id the rate drops dramatically, but the underlying math still favors length. NIST SP 800-63B sets an 8-character minimum for user-chosen passwords and explicitly supports long passwords (up to at least 64 characters), while OWASP's guidance encourages a longer practical floor. Building on those standards, this guide recommends aiming for at least 16 characters; use 20 or more for high-value accounts such as your email, banking, or password manager master password.

Step 2: Maximize Randomness — Use a Generator

Humans are notoriously bad at generating randomness. Studies of exposed password databases consistently show that even passwords that technically satisfy complexity rules cluster around predictable substitutions: "P@ssw0rd", "S3cur1ty!", and variations. An attacker running a rule-based attack will try these substitutions within the first million guesses — orders of magnitude before reaching a truly random sequence.

A cryptographically secure random number generator (CSPRNG), by contrast, treats every character slot as an independent draw with no memory of what came before. Browsers expose window.crypto.getRandomValues() — a CSPRNG backed by the operating system — which is what the Strong Password Generator uses. The result is that each password of a given length is equally likely, with no exploitable pattern.

Never construct a password from a word, a date, a pet name, or a keyboard walk like "qwerty123". Even with symbol substitutions applied, these patterns are thoroughly covered by modern wordlist and rule-based attacks.

Step 3: Make It Unique — One Password Per Account

Credential stuffing is now the dominant attack vector against consumer accounts. In a credential-stuffing attack, an adversary takes leaked username/password pairs from one breach (there are billions of these in circulation) and automatically tries them against hundreds of other services. If you reuse a password, a breach of a minor forum can cascade into the compromise of your email, bank, and cloud storage.

The only practical solution is uniqueness: every account gets its own password, generated fresh and stored only in your password manager. You do not need to remember any of these passwords — that is what the manager is for.

You can check whether your existing credentials have appeared in known breaches at HaveIBeenPwned and gauge the strength of a candidate password with the password strength checker.

Step 4: Store It — Use a Password Manager

A password manager encrypts your credentials vault with a single master password (or biometric unlock) and syncs it across devices. It generates, fills, and stores unique passwords without requiring you to memorize them. Leading options include Bitwarden (open-source, audited), 1Password, and KeePassXC (local-only).

The master password for your manager is the one password worth memorizing. Make it long — consider a five-word diceware passphrase — and never write it down digitally. Enable two-factor authentication on the manager account itself for an additional layer of protection.

Enable Two-Factor Authentication

A strong, unique password is a necessary but not sufficient defense. Two-factor authentication (2FA) requires a second proof of identity — a time-based code from an authenticator app, a hardware key (YubiKey, Passkey), or a push notification — in addition to your password. Even if an attacker obtains your password through phishing or a breach, they cannot log in without the second factor.

Enable 2FA on every account that supports it, prioritizing email, password managers, financial accounts, and your primary social logins. Prefer an authenticator app (TOTP) over SMS, since SMS codes can be intercepted via SIM-swapping attacks.

Standards Reference

The guidance above is consistent with NIST Special Publication 800-63B ("Digital Identity Guidelines — Authentication and Lifecycle Management") and the OWASP Authentication Cheat Sheet. Both documents have moved away from periodic forced password changes and complexity requirements in favor of length, breach-checking, and manager use — which aligns with this four-step approach.

Need a password right now?

Generate a strong one in your browser — nothing is stored or sent anywhere.

Generate a password

Written & reviewed by Andrew Ivanov, Fractional CTO. Last reviewed .