Skip to content
PasswordGen

How to Create a Strong Password: A Practical Security Guide

Learn what makes a password strong in 2026: length, randomness, uniqueness, and manager use. Covers NIST guidelines, entropy, and what to avoid.

By Editorial Team Updated
  • password
  • security
  • strong password
  • password manager
  • cybersecurity
How to Create a Strong Password: A Practical Security Guide

Password security advice from 10 years ago — capitalize letters, add numbers and symbols, change every 90 days — was based on flawed assumptions. Modern guidance (NIST SP 800-63B, 2024) tells a different story. Here’s what actually works.

What makes a password strong

The two factors that matter most:

  1. Length — longer passwords have exponentially more combinations
  2. Randomness — human-chosen passwords are predictable; random passwords aren’t

Everything else is secondary. A 20-character random string beats a 12-character “complex” password chosen by a human every time.

Password entropy

Entropy measures how hard a password is to guess, in bits. Higher is better.

CharsetOptions per character12-char entropy20-char entropy
Digits only (0-9)1040 bits66 bits
Lowercase (a-z)2656 bits94 bits
Lowercase + digits3662 bits103 bits
Mixed case + digits6271 bits119 bits
Full printable ASCII9579 bits131 bits

80+ bits of entropy is considered strong for most purposes. 128 bits is considered effectively unbreakable.

For a 20-character password using the full ASCII printable charset:

~131 bits of entropy

Length: the most important factor

Go long. Modern NIST guidelines recommend:

  • Minimum: 15 characters for general use
  • Preferred: 20+ characters
  • No arbitrary maximum — allow up to 64+ characters

A 20-character password is many orders of magnitude stronger than a 12-character one, even if both use the same character set.

Randomness: let a machine generate it

Human-chosen passwords follow predictable patterns:

  • Words from the dictionary
  • Names + birth years (alice1995)
  • Predictable substitutions (p@ssw0rd, S3cur1ty)
  • Patterns based on keyboard layout (qwerty, 1q2w3e)

Attackers use wordlists and rules that cover all of these. Random passwords — generated by a computer’s CSPRNG — have none of these patterns.

# Python: generate a random password using secrets module
import secrets
import string

alphabet = string.ascii_letters + string.digits + string.punctuation
password = ''.join(secrets.choice(alphabet) for _ in range(20))
print(password)
# Bash: generate a random password
openssl rand -base64 24 | tr -dc 'a-zA-Z0-9!@#$%^&*' | head -c 20

Uniqueness: one password per account

Password reuse is one of the biggest security risks. When one site is breached, attackers test those credentials on every other site (credential stuffing).

Use a unique password for every account. This is only practical with a password manager.

What not to do

  • Don’t use personal information — names, birthdays, pet names are guessable
  • Don’t use dictionary words (even with substitutions) — cracking tools know every common substitution
  • Don’t reuse passwords — ever
  • Don’t store passwords in plaintext — spreadsheets, sticky notes, text files
  • Don’t share passwords via email or chat — use a password manager’s sharing feature
  • Don’t use the same password even across “trusted” sites — every site can be breached

Modern NIST guidelines (SP 800-63B, 2024)

Key changes from older advice:

  • Don’t enforce arbitrary complexity rules — they don’t increase security and frustrate users
  • Don’t require periodic password changes — unless there’s evidence of compromise
  • Do check against known-compromised password lists — reject passwords found in breach databases
  • Do allow long passwords — up to 64+ characters
  • Do support all printable ASCII characters

Use a password manager

A password manager solves the uniqueness problem. It:

  • Generates strong random passwords
  • Stores them encrypted
  • Autofills them in your browser
  • Syncs across devices

Top options:

  • Bitwarden — open source, free tier, self-hostable
  • 1Password — teams feature, travel mode
  • Dashlane — built-in VPN, dark web monitoring
  • KeePass / KeePassXC — local-only, no cloud

The master password for your password manager should be a strong passphrase (see below) that you can memorize.

Passphrases for memorable passwords

When you must memorize a password (like your manager’s master password), use a random passphrase: multiple unrelated words chosen at random.

correct horse battery staple

A 4-word passphrase from a 7,776-word list (Diceware) has ~51 bits of entropy. Five words: ~64 bits. Six words: ~77 bits.

Passphrases are memorable and strong. PurpleElephantCloudRadio beats P@ssw0rd! in both memorability and security.

Generate strong random passwords at passwordgen.io.

Related reading