Home / Blog / How to create a strong password
Fundamentals · 6 min read

How to create a strong password in 2026

Guide Updated June 2026 · By Alex Forrester, Security Engineer

The advice you grew up with — swap an "a" for an "@", add a number, capitalise the first letter — is mostly wrong. Here is what actually makes a password hard to break, and a method you'll remember.

For two decades, "complexity" ruled password advice: throw in a symbol, a digit, a capital, and you were told you were safe. The problem is that humans are predictable. We capitalise the first letter, put the number at the end, and reach for the same handful of symbols. Attackers know this, and their software accounts for it.

What machines genuinely struggle with is not complexity — it is length combined with unpredictability. Every extra character multiplies the number of guesses an attacker must make. That single idea is the foundation of every recommendation below.

The one rule that matters most: length

A password's resistance to brute-forcing is measured in entropy — roughly, the number of guesses needed to find it. Entropy grows with both the size of the character pool and, far more powerfully, the length of the password. Adding one symbol nudges the pool. Adding four more random characters multiplies the work by thousands.

P@ssw0rd1Weak · cracked instantly
correct-horse-battery-stapleVery strong · centuries
7xQ!9mK2$vP4#nL8Very strong · centuries

The first looks "complex" but is short and based on a dictionary word with predictable substitutions — software guesses it in moments. The other two are far longer, and that length is what makes them practically unbreakable.

Rule of thumb: aim for at least 16 characters for important accounts. Below 12, even a random password starts to look guessable to modern hardware.

Two methods that actually work

1. The random string (best for accounts you don't type often)

For your email, bank, and password manager, use a long, fully random string and let software remember it. There's no need to memorise it if a password manager stores it for you. This is exactly what a generator is for — maximum entropy, zero human predictability.

2. The passphrase (best for the few you must memorise)

For the handful of passwords you genuinely have to recall — like the master password to your manager — string together four or more random, unrelated words:

  • Pick words at random, not a phrase that means something to you ("ilovemydog" is weak).
  • Separate them with symbols or numbers to widen the character pool: otter-Velvet7-cobalt-Drum
  • The randomness is what counts. A quote from your favourite film is not random — it's in a database somewhere.

Mistakes that quietly undo everything

  • Reusing passwords. One breach then unlocks every account. This is the single most common cause of account takeover.
  • Personal information. Birthdays, pet names, and street names are the first things tried.
  • Tiny tweaks. Changing Summer2025 to Summer2026 fools no one.
  • Keyboard patterns. qwerty, 1qaz2wsx and friends are all in the cracking dictionaries.

The real win: a unique, long, random password for every account — backed by a password manager so you only remember one. We cover this in password manager vs. memorising.

Put it into practice now

You don't need to invent randomness in your head — humans are famously bad at it. Use the generator to forge a maximum-entropy password, then paste anything you already use into the checker to see how it really holds up.

Forge a password the safe way

Cryptographically random, generated entirely in your browser. Nothing is ever sent anywhere.

Open the generator
← All guides Next: What is entropy? →