The advice we all absorbed years ago, one capital letter, one number, one symbol, swap an a for an @, produces passwords that are hard for humans to remember and easy for computers to guess. Meanwhile the thing that actually protects you gets barely a mention. Here is what a password needs in order to hold up, and why.
Length is the thing that matters most
Every character you add to a password multiplies the number of possibilities an attacker has to try. That multiplication is exponential, which is why length beats every other factor by a wide margin. A short password packed with symbols has fewer combinations than a long one made of ordinary words, because the extra characters add far more to the total than a wider character set does.
This is why security researchers now recommend passphrases: four or five random words strung together, like correct-battery-lantern-cellar. It is long enough that brute force is hopeless, yet you can actually picture it. For anything you do not need to memorize, a random string of 16 characters or more is stronger still, and a password generator can produce one instantly.
The real danger is reuse, not weakness
Here is the uncomfortable truth: the strongest password in the world does not help if you use it in two places. Large websites get breached regularly, and when one does, attackers take the leaked email-and-password pairs and try them on every other popular service. This is called credential stuffing, and it is the single most common way ordinary accounts get taken over. It does not care how strong your password is, only that you used it somewhere that got breached.
The fix is a unique password for every account. Nobody can remember dozens of unique random passwords, which is what a password manager is for: it stores them, fills them in, and generates new ones. Your job shrinks to remembering one strong passphrase that unlocks the manager.
Rules that do not help as much as you think
- Forced complexity. Requiring a symbol and a number nudges people toward predictable patterns like
Password1!, which attackers try first. Length delivers more security with less annoyance. - Regular forced changes. Making people reset every 90 days mostly produces
Spring2026thenSummer2026. Modern guidance from bodies like NIST is to change a password when there is a reason to, not on a timer. - Character substitutions. Swapping
efor3feels clever, but cracking software has known those tricks for years. It adds almost nothing.
What a strong setup looks like in practice
- Use a password manager, and protect it with one long passphrase you can remember.
- Let it generate a unique 16-plus character password for every account.
- Turn on two-factor authentication wherever it is offered, so a stolen password alone is not enough to get in.
- For the handful of passwords you must type by hand, use random word passphrases.
Generating passwords safely
One reasonable worry: if a website generates a password for you, could it keep a copy? On this site it cannot, because the password generator runs entirely in your browser using the built-in cryptographic random number generator. Nothing is sent over the network, logged, or stored, and you can confirm it by turning off your internet connection and watching it keep working. A password is only as private as the place that made it, and the safest place is your own device. If you want a unique identifier rather than a secret, for a database key or a test record, the UUID generator works the same private way.