Security guide

How to Create a Strong Password

A practical guide to creating strong, unique passwords with local generation, password managers, MFA, and safe recovery habits.

Summary

A strong password is not just a string that “looks complicated.” It is long enough for the use case, randomly generated, unique to one account, and stored safely. The most reliable everyday workflow is simple: generate a unique random value, save it in a password manager, and turn on MFA or a passkey whenever the service supports it.

Use the free random password generator or the 16 character password generator when you need a new account password.

What makes a password strong

The strongest practical passwords are selected by a random process, not invented by a person. Human-created passwords often contain names, dates, keyboard paths, brands, lyrics, or familiar substitutions. Attackers know those patterns and try them early.

Random generation changes the situation. A generated password such as a 16, 20, or 32 character value has no personal story, no calendar date, and no convenient dictionary structure. It is still only useful if it remains unique and private.

Practical recommendations

1. Generate a new password for every account.
2. Prefer at least 15–16 random characters for ordinary accounts.
3. Use 20 or more characters for email, banking, work, and admin access when accepted.
4. Include symbols when the destination accepts them.
5. Store passwords in a trusted password manager.
6. Enable MFA or passkeys.
7. Review account recovery settings, because attackers often target recovery paths.

What local generation does and does not solve

PwdGen generates values locally with Web Crypto and does not upload generated passwords. That protects against the website intentionally collecting the generated value. It does not protect against a compromised browser extension, unsafe clipboard manager, malware, phishing page, or a service that mishandles password storage.

Detailed guidance

This guide focuses on creating a strong password from a blank slate. It is written for people replacing weak or reused account passwords, so the practical goal is not to create a dramatic security claim. The goal is to choose a password habit that can survive everyday use: sign-in forms, password managers, mobile keyboards, account recovery, shared devices, and the occasional service with strange validation rules. A secure recommendation is only useful if a real person can follow it consistently.

The safest starting point is randomness plus uniqueness. Randomness means the value is selected from a large space by a cryptographically suitable random source, not invented from a birthday, a pet name, a keyboard pattern, or a favorite quote. Uniqueness means the same password is not used anywhere else. A password that is long but reused can fail quickly after one unrelated breach, while a unique random password limits the damage to the single account where it was used.

For this topic, a practical preset is 20 characters, uppercase, lowercase, numbers, and symbols when accepted. You can apply that preset with the 20 character password generator and then store the final value in a trusted password manager. PwdGen generates values locally in the browser with Web Crypto; the generated password is not sent to a PwdGen server. That local design reduces server-side exposure, but it does not protect against every threat. A malicious browser extension, a compromised device, a phishing page, or unsafe clipboard handling can still expose a secret after it is generated.

The most common problems to avoid are personal names, birthdays, keyboard walks, reused endings, and predictable substitutions such as replacing a with @. These problems matter because attackers rarely need to brute-force every possible password when human habits give them a shortcut. Credential stuffing, phishing, leaked password lists, and account-recovery abuse are often more realistic than a pure mathematical search. That is why the best advice combines password quality with account-level controls such as MFA, passkeys, recovery-code storage, and regular review of recovery email or phone settings.

Use this checklist when applying the recommendation:

• Use a different value for every account.
• Prefer random generation over personal patterns.
• Store the result in a password manager.
• Turn on MFA or passkeys when available.

If a website rejects the ideal setting, do not force the password into a weaker pattern by hand. Adjust one variable at a time. If symbols are rejected, keep uppercase, lowercase, and numbers enabled and increase length. If a maximum length is low, use the largest accepted length and make sure the value is unique. If a password must be read aloud, printed, or typed on a television or router screen, consider excluding confusing characters and increasing the length to compensate for the smaller alphabet.

Finally, remember the boundary of password advice. A strong password is one layer of defense, not a guarantee. It cannot make a phishing page safe, fix malware, or compensate for a service that stores credentials poorly. The useful habit is boring but durable: generate a unique value, store it safely, protect the recovery path, and replace it quickly if you suspect exposure.

Frequently asked questions

What is the simplest strong password rule?

Use a long, random, unique password for every account and store it in a trusted password manager.

Is a complex short password better than a longer random one?

Usually no. Length and unpredictability matter more than familiar substitutions such as replacing letters with symbols.

Should I use MFA with a strong password?

Yes. MFA or passkeys add protection when a password is phished, reused elsewhere, or exposed by a service breach.