How to Create Strong Passwords — And Why Most People Get It Wrong
Most people approach password security the wrong way. They swap an "E" for a "3", add a "!" at the end, and call it done. That approach made sense in 1995. In 2026, it offers almost no real protection against modern attacks.
This guide explains what actually makes a password strong, how security researchers measure it, and what you can do today to dramatically improve your account security — without having to memorise a string of random characters.
What Makes a Password Strong?
Password strength comes down to one concept: entropy. Entropy is a measure of unpredictability — how many possible combinations an attacker would need to try before guessing your password. It is usually expressed in bits.
The higher the entropy, the stronger the password. The two things that increase entropy are:
- Length — Every additional character multiplies the number of possible combinations
- Character pool size — Using uppercase, lowercase, numbers, and symbols increases the pool an attacker must search through
Of these two, length is far more powerful. A 20-character password made of only lowercase letters has higher entropy than a 10-character password using every type of character. This surprises most people.
Why "Pa$$w0rd" Style Passwords Fail
The habit of substituting letters with numbers or symbols — writing "3" instead of "E", "0" instead of "O", "@" instead of "A" — is called leetspeak substitution. It was novel in the early internet era. Today, every serious password cracking tool includes these substitutions by default.
When an attacker runs a dictionary attack against a hashed password database, they do not just try "password". They try "p@ssw0rd", "P@$$w0rd", "P4ssword!", and thousands of other common variations automatically. Your clever substitution is already in their wordlist.
The same problem applies to adding a number or symbol at the end: "password1", "password123", "password!" are all predictable patterns that crackers test first.
What Actually Works: Length and Randomness
Two approaches genuinely improve password security:
1. Long random character strings. A password like x8#Kp2mQrL9!vZnT is strong because it is long and genuinely random. The catch is that it is nearly impossible to memorise, which is why a password manager is essential if you go this route.
2. Passphrases. A passphrase is a sequence of random words: correct-horse-battery-staple. This concept was famously illustrated by the webcomic XKCD in 2011 and remains one of the best pieces of password security advice ever published. Four or five random words give you a password with very high entropy that is also humanly memorable.
The key word is random. "ilovemydogmaxHe'sSoCute!" is not a strong passphrase — it is a predictable sentence. A truly strong passphrase uses words chosen randomly, not words that tell a story about your life.
Password Entropy at a Glance
| Password type | Example length | Approx. entropy | Verdict |
|---|---|---|---|
| Common word + numbers | 10 chars | ~10 bits effective | Very weak |
| Mixed case + symbols | 10 chars | ~65 bits | Moderate |
| Random characters | 16 chars | ~104 bits | Strong |
| 4-word passphrase | ~28 chars | ~77 bits (EFF wordlist) | Strong + memorable |
| 6-word passphrase | ~42 chars | ~77–116 bits | Very strong |
One Password Per Account
Even a perfectly strong password becomes a serious risk if you reuse it. The reason is credential stuffing: when a service gets breached and its password database leaks, attackers take those username/password pairs and automatically try them on hundreds of other sites. If you used the same password on a small forum in 2015 as on your email account today, that breach could compromise your email.
The only practical solution is a unique password for every account. This is only manageable with a password manager — a secure application that stores and auto-fills all your passwords so you only need to remember one master password.
How Password Generators Help
Generating a truly random password by hand is harder than it sounds. Humans are very bad at randomness — we gravitate toward patterns, avoid certain characters, and unconsciously make choices that reduce entropy. A proper password generator uses a cryptographically secure random number generator to eliminate that human bias entirely.
Modern browsers provide window.crypto.getRandomValues() — a Web Crypto API that produces cryptographically secure random values without relying on any server. A generator built on this API produces passwords that are genuinely random, and because it runs entirely in your browser, your generated passwords are never transmitted anywhere.
🔑 Try KeyForge — privotools' browser-based password generator. Generate random character passwords, multi-word passphrases, PINs, or memorable passwords with real-time entropy and crack-time estimates. Built on the Web Crypto API — your passwords never leave your browser.
Open KeyForge →Quick Summary
- Length matters more than complexity — longer passwords are harder to crack
- Character substitutions (Pa$$w0rd) provide very little real protection
- Passphrases (multiple random words) are both strong and memorable
- Never reuse passwords across accounts — use a password manager
- Use a cryptographically secure generator to eliminate human bias in your passwords
Password security does not have to be complicated. The principles are simple: make it long, make it random, make it unique. Everything else is noise.