How to generate strong passwords — and store them safely
Most people choose passwords that are either easy to remember or easy to crack — usually both. This guide explains the science behind password strength and gives you practical steps to generate and manage passwords that are actually secure.
What makes a password strong?
Password strength is measured in entropy — the number of possible combinations an attacker must try. Two factors control entropy:
- Length — The most important factor. Each additional character multiplies the search space.
- Character set size — Using uppercase, lowercase, digits, and symbols increases the pool of possible characters per position.
A 16-character random password using all character types has approximately 2¹⁰⁵ possible combinations — effectively impossible to brute-force with current hardware.
Minimum recommended lengths
- General accounts (email, social media) — 16 characters minimum.
- Financial accounts (banking, PayPal, crypto) — 20+ characters.
- Master password (password manager) — 24+ characters, memorise this one.
- API keys and service credentials — 32+ random characters.
NIST (US National Institute of Standards and Technology) no longer recommends mandatory complexity rules. Instead, they recommend length over complexity — a 20-character lowercase phrase beats a 8-character mixed-case password.
What to include in a strong password
- Uppercase letters (A–Z)
- Lowercase letters (a–z)
- Digits (0–9)
- Symbols (!@#$%^&* etc.) — if the service allows them
Avoid: dictionary words, names, birthdates, keyboard patterns (qwerty, 123456), and any information that appears in your social media profiles.
Why you should never reuse passwords
When a website is breached, attackers dump stolen credentials on underground forums. They then try those email/password combinations on hundreds of other services — a technique called credential stuffing. If you reuse passwords, one breach compromises all your accounts.
This is why every account needs a unique password, which is impossible to remember manually. The solution: a password manager.
How to store passwords safely
- Password manager — Use a reputable password manager (Bitwarden, 1Password, or your browser's built-in manager). You only remember one strong master password; the manager generates and stores unique passwords for every site.
- Never in plain text — Don't store passwords in notes apps, spreadsheets, or emails.
- Enable 2FA — Two-factor authentication means a stolen password alone cannot log into your account.
- Have I Been Pwned — Check haveibeenpwned.com to see if your email appears in known data breaches.
How to generate a strong password in your browser
- Open ToolBite's password generator — uses the Web Crypto API for true randomness.
- Set the length to at least 16 characters (20+ recommended).
- Enable all character types: uppercase, lowercase, digits, symbols.
- Click Generate and immediately copy the password into your password manager.
- Never type the generated password anywhere — only copy-paste.
The password is generated locally in your browser — it is never transmitted to ToolBite or logged anywhere.
Quick security checklist
- Password is at least 16 characters long.
- Contains uppercase, lowercase, digits, and symbols.
- Not used on any other website.
- Stored in a password manager, not written down.
- Account has 2FA enabled.
- Email checked on haveibeenpwned.com.