toolsy.one

How to create a strong password (and why length beats symbols)

A practical guide to credential security.

Most advice about passwords is stuck in 2005: “use a capital letter, a number and a symbol.” That advice produces passwords like P@ssw0rd! — which look complex but are trivially guessed by modern cracking tools. What actually matters is not how complicated a password looks, but how unpredictable it is. Let’s unpack that.

Strength is measured in bits of entropy

Security people measure unpredictability in bits of entropy. Each bit doubles the number of guesses an attacker needs on average. A password with 40 bits can be brute-forced quickly on modern hardware; one with 70+ bits is effectively out of reach. The crucial insight: entropy comes from random choices, not from visual complexity. P@ssw0rd! has very little entropy because it’s a common word with predictable substitutions — the exact pattern cracking dictionaries try first.

Why length beats symbols

Adding one random character from a 94-character set adds about 6.5 bits. Adding one random word from a 7,776-word list adds about 12.9 bits. So a handful of random words — a passphrase like cedar-harbor-mellow-quartz — reaches very high entropy while staying easy to type and remember. A short string of symbols is both weaker and more painful to enter on a phone. Length, drawn from genuine randomness, is the winning strategy.

Want to see this in action? Our password & passphrase generator shows the live entropy in bits as you change the length, so you can watch strength climb with each added word or character. It runs entirely in your browser.

The rules that actually matter

  • Use a unique password everywhere. The biggest real-world risk isn’t brute force — it’s reuse. When one site is breached, attackers replay those credentials everywhere else (“credential stuffing”). Unique passwords contain the damage to a single account.
  • Let a password manager do the remembering. You can’t memorise 100 unique strong passwords, and you shouldn’t try. A manager generates and stores them; you only memorise one strong master passphrase.
  • Turn on two-factor authentication (2FA). Even a perfect password can be phished or leaked. A second factor — an authenticator app or a hardware key — means a stolen password alone isn’t enough.
  • Make your master passphrase long. Since you type it often, use 5–6 random words rather than a short cryptic string.

What about hashing?

You’ll often hear that sites should “hash” passwords. Hashing is a one-way transformation: a site stores the hash of your password, not the password itself, so a database breach doesn’t immediately expose your plaintext. As a developer you can explore how hashing works with our hash generator (SHA-256, SHA-512), but note that real password storage uses slow, salted algorithms like bcrypt or Argon2 specifically to resist mass cracking — a plain SHA-256 of a password is not enough on its own.

The short version

Favour length over symbols, never reuse a password, store everything in a manager, and switch on 2FA. Do that and you’ve closed the doors attackers actually walk through. When you need a strong one right now, generate it locally with our password generator — nothing you create is ever sent anywhere.

Related tools: Password generator · Hash generator