How to Create a Strong Password in 2026

Most password advice you've heard for the last 20 years is at least partly wrong. The "must have one capital, one number, one special character" approach actually makes passwords weaker, not stronger. This guide walks through what genuinely makes a password secure in 2026, and why a random generator beats almost anything you'd come up with yourself.

Just want a strong password?

Generate one in your browser — never sent to any server.

Generate a password →

What actually makes a password strong?

Two things, and they're not what most people think:

Length — far more important than complexity. A 16-character lowercase password is exponentially harder to crack than an 8-character password with all the symbols and numbers in the world.
Unpredictability — a password is only as strong as its weakest pattern. If a hacker can guess part of it, they can guess the rest.

The classic password rules — "must contain a capital letter, a number, and a special character" — were designed in the 1990s when computers were slow. Today's password-cracking software can try billions of combinations per second. Adding a capital letter to password to make Password1! looks more secure but adds maybe 30 seconds to a brute-force attack.

Why length matters so much

Each additional character in a password multiplies the number of possible combinations. Going from 8 to 16 characters doesn't double the difficulty — it makes it astronomically harder to crack.

Modern guidance from the UK's NCSC (National Cyber Security Centre) and the US NIST (National Institute of Standards and Technology) is consistent on this:

Minimum 12 characters for any account that matters
16+ characters for high-value accounts (email, banking, password manager itself)
20+ characters for passwords protecting sensitive data

A randomly generated 16-character password using mixed letters, numbers and symbols would take a current-generation cracking rig billions of years to brute force. Even a 12-character one is functionally uncrackable for almost any realistic attacker.

The common mistakes to avoid

Most weak passwords aren't weak because they're too simple — they're weak because they follow a predictable pattern. Examples:

Word + number + symbol at the end (Hunter2!, Sunshine99!) — the most predictable pattern in existence. Cracking software tries this first.
Substitution cyphers (P@ssw0rd, L3tm3in) — every cracker knows these substitutions.
Personal info — birthday, pet's name, child's name, postcode. All findable with 30 seconds of social media digging.
Reused passwords — using the same password on multiple sites. When one site is breached, hackers automatically try those credentials on every major service. This is how most accounts actually get compromised.
Keyboard patterns (qwerty, 1qaz2wsx, asdfgh) — all on the standard wordlists.

Avoiding weak passwords: seven things never to include in a password — your username, names of family or pets, personal information about you or your family, sequences of consecutive letters or numbers like 12345 or qwerty, dictionary words or word combinations like blackdog, obvious character substitutions like blackd0g, or any of these written in reverse. — Source: NordVPN

The two ways to make genuinely strong passwords

There are really only two approaches that work:

Option 1: Random generated passwords

Use a password generator to create something like k7Jq#2nM!vP9wXr4. Completely random, no pattern, impossible to remember — and that's fine, because you'll store it in a password manager. This is what every security professional actually uses.

Generators that run in your browser (like the one on this site) are particularly good because the password is never sent to any server — it's created on your device and stays there.

Option 2: Long passphrases

If you genuinely need to remember a password (like the master password for your password manager itself), use four or five random words: correct horse battery staple. The famous XKCD example. Easier to remember than gibberish, mathematically very hard to crack because of the length.

The key word here is random. my favorite movie is starwars looks long but follows English grammar — crackers exploit that. turbine pretzel jellyfish kestrel works because there's no pattern.

Use a password manager

The honest truth: you cannot remember 50+ unique strong passwords. Nobody can. The only practical way to have unique strong passwords for every account is to use a password manager.

Free and paid options worth considering:

Bitwarden — free, open-source, works on every device
1Password — paid but generally the most polished
iCloud Keychain — built into Apple devices, free, syncs across iPhone/Mac
Google Password Manager — built into Chrome, free, syncs across devices
NordPass — paid, from the NordVPN team. Includes data breach scanner and password health reports (affiliate link)

The pattern is: long random master password (the one you remember), unique generated passwords for everything else.

Two-factor authentication beats password strength

One last thing worth knowing — even a perfect password isn't as good as two-factor authentication (2FA). 2FA means a hacker needs both your password AND a code from your phone (or a hardware key) to log in. With 2FA enabled, even if your password leaks in a breach, your account stays safe.

Enable 2FA on email, banking, password manager, and social media at minimum. The 30 seconds it takes is the highest-return security investment you can make.

Generate a strong password

Customise length and character mix. Generated locally in your browser.

Generate a password →

How to create a strong password in 2026