How to Generate a Strong Password โ Length, Randomness, and Best Practices
A cryptographically secure 20-character password is better than any memorable pattern. Here is exactly what makes a password strong in 2026.
Most people's passwords are bad. Not because people are careless, but because the rules people were taught for years (use a capital letter, add a number, swap an e for a 3) don't produce strong passwords. They produce predictable patterns that attackers specifically look for.
What makes a password strong
Length matters more than complexity. A 20-character password made of random lowercase letters has more entropy than a 10-character password with uppercase, numbers, and symbols. Randomness matters too: human-chosen "random" passwords are not random. People gravitate toward familiar words, dates, and keyboard patterns even when trying to be random.
Use our Password Generatorto generate genuinely random passwords. The generator uses the browser's cryptographically secure random number generator, which is fundamentally different from how humans make random choices.
Password length recommendations by account type
- General accounts (forums, newsletters, low-stakes): 16 characters minimum
- Email accounts: 20 characters minimum (email controls your password resets for everything else)
- Banking and financial accounts: 20 characters minimum, use the maximum length the site allows
- Password manager master password: 25+ characters, memorized, never reused anywhere
Characters to include
For most sites: use all character types (uppercase, lowercase, numbers, symbols). The generator defaults to this. Some sites have restrictions (no symbols, or only specific symbols) โ adjust accordingly. A 20-character lowercase-only random password is still very strong; don't compromise length to include a blocked character type.
The reuse problem
A strong password used on 10 sites is not 10 times stronger than a weak password used on 10 sites. When one site gets breached, attackers try the stolen credentials on every major service. This is called credential stuffing. Every account should have a unique password. A password manager makes this practical.
Storing passwords safely
Never store passwords in a text file or spreadsheet. Don't email them to yourself. Don't write them on a sticky note near your computer. Use a password manager like Bitwarden (free, open source), 1Password, or KeePassXC (local only). These store your passwords in an encrypted vault protected by one strong master password that only you know.