How to Create a Strong Password (and Why Length Matters More Than Complexity)
Password security advice has been wrong for a long time. The standard guidance - use uppercase letters, numbers, and special symbols - produces passwords like "P@ssw0rd1!" that feel complex but are trivially easy to crack with modern tools. Research and updated standards tell a clearer story: length is more important than character variety, and randomness is more important than either.
Why Length Beats Complexity
Password strength is measured by entropy - the number of possible combinations an attacker must try. Each additional character multiplies the search space. A random 16-character password using only lowercase letters has 26 to the power of 16 - roughly 43 quadrillion - possible values. A complex 8-character password using all ASCII printable characters has 95 to the power of 8 - roughly 6.6 quadrillion values. The longer, apparently simpler password is actually stronger.
What Makes a Password Weak
- Dictionary words, even with substitutions - p@ssword, s3cur1ty, tr0ub4d0r. Password crackers use dictionary lists with every common substitution built in.
- Personal information - birthdays, names, pet names, sports teams, anniversaries. All guessable from public social media profiles.
- Keyboard patterns - qwerty, 123456, asdfgh. Every wordlist includes these.
- Short passwords - anything under 12 characters is too short with current cracking hardware.
- Reused passwords - a single data breach immediately compromises every account sharing that password.
Updated NIST Guidelines (2024)
The US National Institute of Standards and Technology updated its digital identity guidelines in 2024 with significant changes. The key recommendations: prioritise length over composition rules (at least 15 characters is the new recommendation), stop mandating arbitrary complexity requirements like "must contain one uppercase and one symbol", do not require periodic password changes unless a breach is suspected, and check new passwords against known breach databases rather than enforcing composition rules that often lead to predictable patterns.
The Case for a Password Manager
The only realistic way to use a unique, long, random password for every site is a password manager. Human memory cannot handle dozens of random 20-character strings. A password manager generates, stores, and autofills credentials securely. Well-regarded options include Bitwarden (open source, free tier available), 1Password, and Dashlane. All encrypt your vault locally before syncing it - the service never sees your passwords.
Why Randomness Source Matters
JavaScript's Math.random() is a pseudorandom number generator - fast but not cryptographically secure, meaning a sophisticated attacker could theoretically predict its output given enough samples. A proper password generator uses the Web Crypto API (window.crypto.getRandomValues()), which draws from the operating system's entropy pool and is suitable for cryptographic and security applications.
A strong password is long (16+ characters), randomly generated (not based on words or patterns), unique to one site, and stored in a password manager - not reused or written on a sticky note.
Try it yourself - free
Use our Password Generator - no account, no sign-up required.