How To Generate A Secure Password (And Our Generator)

Weak passwords remain one of the most common causes of account compromise. The tool below lets you test any password against eight security requirements in real time — checking length, character variety, entropy, repeated characters, common sequences, and known breached passwords — and shows you exactly where it falls short. You can also generate a cryptographically random password that automatically meets every requirement.

Our readers appreciated this app so much that we launched it on its site. Check out our password generator at Got Password?

How to Generate a Strong Password

A strong password is not just long — it is unpredictable. Attackers do not guess passwords character by character; they run automated tools that test billions of known patterns, common words, and leaked credentials in seconds. Every requirement below exists to eliminate a category of attack, not to make your life difficult.

• At Least 12 Characters: Length is the single most effective defense against brute-force attacks. Every additional character multiplies the number of possible combinations an attacker must try. A 12-character password drawn from a mixed character set produces more than 475 trillion possible combinations — a 10-character password from the same set produces fewer than 60 trillion. Two extra characters can add days or years to the time required to crack a password, even with dedicated hardware.
• At Least One Lowercase Letter (a–z): Lowercase letters are the baseline of most passwords, but their value comes from combination, not standalone use. Including at least one lowercase letter ensures your password draws from a pool of 26 additional characters, increasing the total number of possible combinations and defeating tools that test only numeric or all-caps patterns.
• At Least One Uppercase Letter (A–Z): Many automated attacks assume passwords are all lowercase. Adding at least one uppercase letter forces those tools to test a significantly larger character space. Position matters too — avoid capitalizing only the first character, which is the most predictable placement and one that cracking dictionaries account for by default.
• At Least One Number (0–9): Numbers add 10 characters to the pool and break up patterns that language-based cracking tools rely on. Avoid simple substitutions like replacing the letter O with zero or E with 3 — these leet-speak patterns are well-documented in every modern cracking dictionary and provide almost no additional protection.
• At Least One Special Character (!@#$…): Special characters add roughly 33 symbols to the potential character pool and produce combinations that dictionary attacks struggle to anticipate. As with numbers, avoid predictable placements such as a trailing exclamation mark or a leading dollar sign — these are among the first substitutions automated tools test.
• No 3+ Repeated Characters in a Row: Repeated characters — such as aaa, 111, or !!! — dramatically shrink the effective length of a password. A 14-character password containing a 4-character repetition behaves more like a 10-character password in practice, because cracking tools explicitly model repetition as a common padding strategy. Every position in a password should contribute genuinely random entropy.
• No Common Keyboard Sequences (123, abc, qwerty…): Sequential runs of characters — whether numeric (1234), alphabetic (abcd), or spatial on a keyboard (qwerty, zxcv) — are among the first patterns tested by any modern attack. They appear so frequently in real-world passwords that they are stored as known fragments in cracking databases. A password that contains even a short sequence is statistically weaker than its length alone would suggest.
• Not a Commonly Used Password: Databases of breached credentials contain billions of real passwords collected from past data breaches. Tools like Have I Been Pwned and offline cracking wordlists mean that any password ever used by a significant number of people — regardless of how clever it once seemed — is now a known quantity. P@ssw0rd, Tr0ub4dor, and correct-horse-battery-staple have all appeared in breach lists. A password must be unique to you and generated with genuine randomness, not constructed from a memorable phrase with predictable substitutions.

The most reliable way to meet all of these requirements at once is to use a generator that applies cryptographic randomness rather than constructing a password yourself. Human intuition is a poor source of randomness — we unconsciously favor familiar patterns, keyboard proximity, and meaningful substitutions, all of which attackers exploit. Use the tool above to automatically generate and test a password that satisfies every requirement.

Password Management Tips

Visits to older relatives in my family often turn into unpaid tech consulting sessions, where I educate them on how to use and manage passwords. It doesn’t seem like a visit goes by where one of the older folks in my family doesn’t walk over to their desk or kitchen table and pull out a notebook where all their passwords are conveniently written down. Ugh.

And, of course, the actual passwords used are both simple —names and birthdates of family members —as well as repetitive. It’s honestly a miracle that I haven’t seen someone’s accounts get wiped out. Here’s an article I’m writing, where I’m pleading with family and friends to manage their passwords better, as well as offering guidance on how to do so.

Please use two-factor authentication, and unique passwords for every platform, and store them in a secure application. Here are some explanations and options:

• Two-Factor Authentication (2FA) – virtually every platform now offers a means for you to use a password in combination with real-time code that’s generated by email, by text message, or with an authenticator app.
• Password Vault – If you’re on an Apple device, you can store all of your passwords securely in iCloud. This is a fantastic way to manage passwords because you can pick a strong, unique password for every service you have, but you don’t have to remember them. Simply use Safari, and your Apple device will automatically pre-fill your passwords. An alternative on Google is to use Google Chrome as your browser. As long as you’re logged into Google on your browser, your passwords are available across any device you’re logged into Google with.
• Password Apps – Mobile and desktop applications like LastPass, 1Password, Dashlane, Keeper, or RoboForm allow you to store all your passwords securely on their platforms. They have browser plugins and mobile apps to help you retrieve them or pre-fill password fields. Another nice feature of these platforms is that they typically have an emergency contact who can gain access to your passwords in the event of an emergency.
• Suggested Passwords – Password vaults and applications offer suggested passwords that are difficult to guess either manually or programmatically. I’d encourage you to consistently use and store a suggested password rather than writing your own.
• Don’t Share – Do not share your password with anyone. As a business, you should utilize enterprise platforms that enable you to create users with limited access and their passwords.
• Change Your Passwords – Periodically changing your passwords can help increase their strength and protect your accounts. Some security experts recommend changing your passwords every few months.