How to generate strong passwords — and store them safely

GC

Written by Gabriel C.

Most people choose passwords that are either easy to remember or easy to crack — usually both. This guide explains the science behind password strength and gives you practical steps to generate and manage passwords that are actually secure.

Best for: anyone creating accounts online, developers setting up service credentials, and IT administrators enforcing password policies.

What makes a password strong?

Password strength is measured in entropy — the number of possible combinations an attacker must try. Two factors control entropy:

  • Length — The most important factor. Each additional character multiplies the search space.
  • Character set size — Using uppercase, lowercase, digits, and symbols increases the pool of possible characters per position.

A 16-character random password using all character types has approximately 2¹⁰⁵ possible combinations — effectively impossible to brute-force with current hardware.

Minimum recommended lengths

  • General accounts (email, social media) — 16 characters minimum.
  • Financial accounts (banking, PayPal, crypto) — 20+ characters.
  • Master password (password manager) — 24+ characters, memorise this one.
  • API keys and service credentials — 32+ random characters.

NIST (US National Institute of Standards and Technology) no longer recommends mandatory complexity rules. Instead, they recommend length over complexity — a 20-character lowercase phrase beats a 8-character mixed-case password.

What to include in a strong password

  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Digits (0–9)
  • Symbols (!@#$%^&* etc.) — if the service allows them

Avoid: dictionary words, names, birthdates, keyboard patterns (qwerty, 123456), and any information that appears in your social media profiles.

Why you should never reuse passwords

When a website is breached, attackers dump stolen credentials on underground forums. They then try those email/password combinations on hundreds of other services — a technique called credential stuffing. If you reuse passwords, one breach compromises all your accounts.

This is why every account needs a unique password, which is impossible to remember manually. The solution: a password manager.

How to store passwords safely

  • Password manager — Use a reputable password manager (Bitwarden, 1Password, or your browser's built-in manager). You only remember one strong master password; the manager generates and stores unique passwords for every site.
  • Never in plain text — Don't store passwords in notes apps, spreadsheets, or emails.
  • Enable 2FA — Two-factor authentication means a stolen password alone cannot log into your account.
  • Have I Been Pwned — Check haveibeenpwned.com to see if your email appears in known data breaches.

How to generate a strong password in your browser

  1. Open ToolBite's password generator — uses the Web Crypto API for true randomness.
  2. Set the length to at least 16 characters (20+ recommended).
  3. Enable all character types: uppercase, lowercase, digits, symbols.
  4. Click Generate and immediately copy the password into your password manager.
  5. Never type the generated password anywhere — only copy-paste.

The password is generated locally in your browser — it is never transmitted to ToolBite or logged anywhere.

Quick security checklist

  • Password is at least 16 characters long.
  • Contains uppercase, lowercase, digits, and symbols.
  • Not used on any other website.
  • Stored in a password manager, not written down.
  • Account has 2FA enabled.
  • Email checked on haveibeenpwned.com.
Generate a password now Hash Generator

Continue with related resources

Password Generator

Cryptographically strong random passwords in your browser.

Hash Generator

SHA-256 and SHA-1 one-way hashing.

All ToolBite Guides

More security and developer guides.

Tools used in this guide

Password GeneratorHash Generator