What Makes a Password Weak?
Before looking at what strong looks like, it helps to understand what attackers actually do when trying to crack a password.
Dictionary attacks try every word in a dictionary, including common substitutions like p@ssw0rd or s3cur3. These are cracked in seconds. If your password contains a real word, a name or a date, a dictionary attack will find it.
Brute-force attacks try every possible combination of characters. A 6-character password using only lowercase letters has about 300 million combinations — a modern GPU can try all of them in under a second. An 8-character password with mixed case and numbers has 218 trillion combinations — cracked in a few minutes on modern hardware.
The most common weak passwords are still: 123456, password, qwerty, iloveyou, and variations of those. These are cracked instantly.
What Makes a Password Strong?
Two things matter above everything else: length and randomness.
Length multiplies the number of possible combinations exponentially. Here is how dramatically it scales:
| Length | Character Set | Possible Combinations | Crack Time (fast GPU) |
|---|---|---|---|
| 8 chars | lowercase only | 208 billion | Minutes |
| 8 chars | mixed + numbers + symbols | 6.7 trillion | Hours |
| 12 chars | mixed + numbers + symbols | 19 quadrillion | Centuries |
| 16 chars | mixed + numbers + symbols | 53 sextillion | Heat death of the universe |
| 20 chars | mixed + numbers + symbols | 1.4 octillion | Practically infinite |
Randomness matters because patterns are predictable. Replacing letters with numbers (@ for a, 3 for e) is well-known to attackers and adds almost no security.
The Rules for a Strong Password
- Minimum 16 characters for standard accounts.
- 20+ characters for email, banking and password manager master passwords.
- Include all four character types: uppercase, lowercase, numbers and symbols.
- Never use real words, names, dates or keyboard patterns (qwerty, 12345).
- Never reuse passwords across accounts — if one site is breached, all reused accounts are compromised.
- Use a different password for every account, no exceptions.
How to Generate a Strong Password
The fastest and most secure approach is to use a cryptographically secure random password generator rather than trying to invent one yourself. Human brains are terrible at generating truly random sequences — we unconsciously create patterns.
The ToolsBox Password Generator uses window.crypto.getRandomValues — the browser's built-in cryptographically secure random number generator (CSPRNG). This is the same standard used in encryption systems. The password is generated locally in your browser and never sent anywhere.
- Open the Password Generator.
- Set the length to 16 (or 20 for high-value accounts).
- Enable all four character types: uppercase, lowercase, numbers, symbols.
- Click Generate. A new random password appears instantly.
- Click Copy and paste it directly into your password manager.
Generate a fresh one for every account — there is no reason to reuse them when the tool is this fast.
Generate a strong password now — free
Cryptographically secure, runs in your browser, never stored or transmitted.The Passphrase Alternative
If you need a password you can actually memorize — for example, your password manager's master password — consider a passphrase instead. A passphrase is four or five random unrelated words joined together:
carpet-volcano-rabbit-eleven-torch
This password is 37 characters long, contains no real patterns, and is far easier to remember than X!9mK#2qL@7p. Yet it is significantly stronger due to length. The key is that the words must be genuinely random — not a phrase or a song lyric.
Password Manager vs Memorising
The honest answer is: you should not be memorising passwords. The only password worth memorising is the one that unlocks your password manager. Everything else should be a unique, randomly generated string that you never need to type.
Recommended free password managers:
- Bitwarden — open source, free tier is excellent, available on all platforms and browsers.
- KeePassXC — stores everything locally, no cloud required, fully offline.
- Proton Pass — privacy-focused, good free tier.
Avoid: storing passwords in a browser without a master password, in plain text files, spreadsheets, or notes apps.
What to Do If You've Been Compromised
If you suspect an account has been breached, act immediately:
- Change the password on that account right now.
- Change the same password on any other account where you reused it.
- Enable two-factor authentication (2FA) on the affected account.
- Check Have I Been Pwned (haveibeenpwned.com) to see if your email appears in known data breaches.
Frequently Asked Questions
What makes a password strong?
Length and randomness. A 20-character password with mixed character types has more combinations than all atoms in the observable universe. Avoid real words, names and predictable substitutions.
How long should a password be?
16 characters minimum for regular accounts, 20+ for email, banking and your password manager master password. Every extra character multiplies difficulty exponentially.
Is it safe to use a password generator?
Yes, if it runs locally in your browser using a cryptographically secure random number generator. The ToolsBox generator uses window.crypto.getRandomValues and never transmits passwords anywhere.
Should I use a password manager?
Absolutely. A password manager lets you use a unique random 20-character password for every account. Bitwarden is free, open source and available on every platform.
← Back to Blog | Related tool: Free Password Generator