For years, the standard advice was: mix uppercase, lowercase, numbers, and symbols, and change it every 90 days. Most security agencies, including NIST, have since walked that advice back. Here's what actually matters now.
Length Beats Complexity
A 16-character password made of ordinary words is harder to crack by brute force than an 8-character password full of symbols. Every extra character multiplies the number of possible combinations far more than swapping a letter for a symbol does. horse-lamp-river-42 outperforms P@ss1! by a wide margin.
The Passphrase Method
Pick four unrelated words, add a number and a separator, and you have a password that's both strong and memorable:
- Choose words that don't form a common phrase ("correct horse battery staple," not "happy birthday to you")
- Add a number somewhere that isn't a date
- Use a separator like a hyphen or underscore for extra length
The result is long enough to resist brute-force attacks, while still being something you can type from memory.
Reuse Is the Real Danger
Most account breaches don't happen because someone "guessed" a password — they happen because one password was reused across multiple sites, one of those sites got breached, and the leaked credentials were tried everywhere else. A unique password per important account matters more than how clever any single one is.
Where a Password Manager Helps
You don't need to remember dozens of passphrases. A password manager generates and stores a unique, random password for every site, and you only need to remember one master password to unlock it. This is the single biggest upgrade most people can make to their account security.
When You Need One Right Now
For a quick, strong, random password — no signup, nothing stored — our Password Generator creates one instantly with adjustable length and character types.