How to Generate a Secure Password That's Actually Safe

To generate a secure password, use at least 16 characters drawn randomly from uppercase letters, lowercase letters, numbers, and symbols. Length matters more than complexity — a 20-character random string is far harder to crack than an 8-character password with "clever" substitutions like @ for a or 3 for e.

Password reuse is the leading cause of account takeovers. According to the Verizon 2023 Data Breach Investigations Report, stolen or weak credentials are involved in the majority of data breaches. If you use the same password across multiple sites and one site is breached, every account sharing that password is compromised — regardless of how strong it looked.

Use the free Secure Password Generator at RoughTools to generate a cryptographically random password to any specification instantly — or follow the method below.

Password Entropy — The Math Behind Password Strength

Password strength is measured by entropy — the number of bits required to represent all possible passwords of the same length and character set. Higher entropy means more possible combinations, which means longer to crack.

Password entropy formula:

E = L × log₂(N)

Where:

• E — entropy in bits (higher is stronger)
• L — password length in characters
• N — size of the character set (how many different characters are possible)
• log₂ — base-2 logarithm (your calculator has this, or use: log(N) / log(2))

Character set sizes:

Lowercase letters only (a–z):         N = 26
+ Uppercase (A–Z):                     N = 52
+ Numbers (0–9):                       N = 62
+ Common symbols (!@#$%^&*...):        N = 94–95

Worked example: a 16-character password with full character set

L = 16 characters
N = 95 (uppercase + lowercase + numbers + symbols)

log₂(95) = log(95) / log(2)
         = 1.9777 / 0.3010
         = 6.57 bits per character

E = 16 × 6.57
E = 105.1 bits of entropy

Now compare to common weak password patterns:

| Password type | Length | N | Entropy | |---|---|---|---| | All lowercase | 8 | 26 | 37.6 bits | | Lowercase + numbers | 10 | 36 | 51.7 bits | | Mixed case + numbers | 12 | 62 | 71.5 bits | | All character types | 16 | 95 | 105.1 bits | | All character types | 20 | 95 | 131.4 bits |

The result: a 16-character random password using all character types produces 105 bits of entropy. At modern GPU cracking speeds, working through even a fraction of the possible combinations at this entropy level would take longer than the current age of the universe. A well-configured password manager stores this for you so you never have to remember it.

A key insight from the entropy formula: doubling the character set (from 26 to 52) adds only one bit of entropy per character. Adding one more character to the password adds 6.57 bits. Length wins every time.

How to Generate a Secure Password Step by Step

1. Decide the minimum length for the account. Use 16 characters as your baseline for any account that matters — email, banking, work systems, social media. For less critical accounts (loyalty cards, low-stakes forums), 12 characters is acceptable. For a password manager master password — the one that unlocks everything else — use 20 characters minimum.

2. Include all four character types unless the site explicitly prohibits one. Some legacy systems ban symbols or limit passwords to certain characters. If symbols are allowed, include them. The entropy jump from adding symbols to an alphanumeric password is meaningful: a 16-character alphanumeric password has 95.3 bits of entropy; adding symbols brings it to 105.1 bits — a 10-bit improvement, meaning roughly 1,000 times more combinations.

3. Use the Secure Password Generator to generate truly random output. "Random" in human terms is not truly random — people gravitate toward certain patterns (keyboard walks like qwerty, common substitutions, names + birth years). A cryptographically secure random number generator (CSPRNG) produces genuinely unpredictable output. The RoughTools generator uses browser-native cryptographic randomness — not a predictable pseudo-random algorithm.

4. Generate multiple options and select one. Do not use the first password that "looks nice" — that selection bias reduces entropy. If you are entering a password manually and want something more memorable, use a passphrase (four random words) rather than a complex short password. For stored passwords in a manager, character strings are fine.

5. Store the password in a password manager — never in a text file, email draft, or browser "remember password" feature. A password manager (Bitwarden, 1Password, KeePass) encrypts your passwords with your master password and fills them in automatically. Storing passwords in plaintext (a .txt file, a note, a browser tab) defeats the purpose of a strong password.

6. Verify the password works by logging in once before closing the tab. A typo during generation or a character that was cut off during copy-paste will lock you out. Always test the new password by logging out and logging back in before saving it as the definitive credential.

Pro tip: Enable two-factor authentication (2FA) alongside your strong password. Even a perfectly generated secure password can be leaked in a server breach — 2FA ensures that a leaked password alone cannot access your account. The combination of a 16+ character random password and 2FA makes account compromise effectively impossible through credential-based attacks alone.

How Long Should a Password Be to Be Secure?

A password should be at least 16 characters long for any important account. The National Institute of Standards and Technology (NIST), in Special Publication 800-63B, updated its password guidance to emphasize length over complexity — recommending systems allow passwords up to 64 characters and that length is the primary driver of strength.

Here is the practical breakdown by account type:

• Password manager master password: 20+ characters (this protects everything else)
• Email account: 16+ characters (email recovery resets almost every other account)
• Banking and financial accounts: 16+ characters
• Social media: 14–16 characters
• Low-stakes accounts (newsletters, trials): 12 characters is acceptable

The cracking speed context matters. A modern GPU cluster can attempt billions of simple password guesses per second against a leaked hash. An 8-character password — even with all character types — has a theoretical maximum of 95⁸ = approximately 6.6 quadrillion combinations. At 10 billion guesses per second, that is under 8 days to exhaust every possibility. A 16-character password with 95¹⁶ ≈ 4.4 × 10³¹ combinations takes millions of years at the same speed.

The practical minimum is 16 characters with mixed character types. For anything stored behind a strong, properly salted hash (bcrypt, Argon2), even 12 characters is extremely resistant to cracking. The danger is sites with weak or unsalted hashing — which you cannot control. Length protects you even in the worst-case breach scenario.

What Makes a Password Strong vs. Weak?

A strong password has high entropy — many possible combinations — generated randomly. A weak password has low entropy, usually because it follows a predictable pattern that attackers know to try first.

Weak password patterns attackers target first:

• Dictionary words and common phrases — sunshine, dragon, letmein
• Keyboard patterns — qwerty, 123456, asdfgh
• Names plus years — sarah1987, mike2023
• Character substitutions — p@ssw0rd, s3cur1ty (attackers run these variations automatically)
• Repeated characters or sequences — aaaaaa, abcdef

These patterns are encoded in wordlists and rule sets used by password-cracking tools. A tool like Hashcat applies thousands of mangling rules (capitalize first letter, add year at end, substitute @ for a) to dictionary words — it can test millions of "creative" passwords per second because they follow known patterns.

A strong password has none of these properties. It is generated by a CSPRNG, uses all character types, and is at least 16 characters long. J7!mPxQv#2kLwN8r is a strong password. MyD0g$Nam3IsMax! is not — despite containing symbols and numbers, it follows a recognizable structure that attackers test systematically.

The password strength checker evaluates your password against known weak patterns and estimates its entropy, so you can see exactly where a password stands before using it.

Is a Random Password Better Than a Passphrase?

A random character password and a random passphrase are both strong — the choice depends on whether you need to memorize the password or store it in a manager.

A passphrase is four or more random words strung together: correct-horse-battery-staple. According to information theory, a random 4-word passphrase drawn from a 7,776-word wordlist (the Diceware list) has approximately 51.7 bits of entropy — roughly 4 × 12.9 bits per word. A 6-word passphrase reaches about 77.5 bits — equivalent to an 11-character random string with full character set.

| Password type | Example | Entropy | Memorizable? | |---|---|---|---| | 8-char complex | Tr0ub4d! | 37–52 bits | Yes, but weak | | 16-char random | J7!mPxQv#2kLwN8r | 105 bits | Not easily | | 4-word passphrase | dog-lamp-river-blue | 51 bits | Yes | | 6-word passphrase | cloud-jump-river-soft-pen-glass | 77 bits | With practice |

Use a random character password when: storing it in a password manager (no memorization required) and the site has no restrictions on character types.

Use a passphrase when: you must memorize the password (your computer login, your password manager master password), the site has a character limit that prevents 16+ character strings, or you prefer readable passwords you can type without a manager.

Both approaches are valid. A 6-word passphrase and a 16-character random password both provide strong security. The Secure Password Generator offers both modes.

Common Mistakes to Avoid When Creating Passwords

• Using personal information. Birthdates, names, pet names, addresses, and phone numbers are among the first guesses in a targeted attack. Social media makes this information publicly available — an attacker who knows your name and dog's name will add those to their wordlist immediately. Personal information in a password reduces entropy to near zero for someone who knows you.

• Reusing passwords across sites. A password reused on 10 sites is as secure as the weakest of those 10 sites. When the least-secure site is breached and the password appears in a credential dump, attackers test it against every major service automatically. This is called credential stuffing — and it succeeds because most people reuse passwords. Use a unique password for every account, generated by a password manager.

• Making "complex" short passwords instead of long random ones. P@ssw0rd! appears complex but has under 52 bits of entropy and appears on every cracking wordlist. passwordpasswordpassword is 24 characters of lowercase letters with 112.6 bits of entropy and is significantly harder to crack — despite being "simpler." Length beats complexity every time.

• Changing passwords on a forced schedule without a breach trigger. NIST SP 800-63B explicitly recommends against forced periodic password rotation (e.g., "change every 90 days") unless there is evidence of compromise. Forced rotation leads users to make predictable incremental changes (Password1 → Password2), which reduces effective entropy. Change passwords when there is a reason to — a breach, a shared access that ended, or a suspected compromise.

• Storing passwords in a browser's built-in "remember password" feature as your primary vault. Browser-stored passwords are accessible to any extension with broad permissions, to anyone with physical access to your device, and are often synced insecurely. A dedicated password manager encrypts your vault with your master password — browser storage does not offer equivalent protection. Use a password manager as your vault, not the browser.

Frequently Asked Questions

What is the safest type of password? The safest password is a long, randomly generated string using all character types, stored in a password manager and used on only one account. A 20-character random password using uppercase, lowercase, numbers, and symbols has approximately 131 bits of entropy — essentially uncrackable with any foreseeable computing technology. Pair it with 2FA for maximum account security.

What if a site has a maximum password length of 8 or 12 characters? Some older systems cap password length at 8, 10, or 12 characters — a significant security limitation you cannot work around. Within the allowed length, maximize entropy by using all permitted character types. If the site allows 12 characters with all types: 12 × 6.57 = 78.8 bits — adequate but not ideal. Flag the site as higher risk and monitor it with a breach notification service like Have I Been Pwned (haveibeenpwned.com).

What is the difference between a password generator and a password manager? A password generator creates random passwords — it produces the string. A password manager stores, encrypts, and auto-fills your passwords — it remembers them. You need both: generate strong unique passwords with a generator, store them with a manager. Most password managers include a built-in generator. The Secure Password Generator at RoughTools generates passwords for immediate use — copy the output directly into your password manager.

How many unique passwords do I actually need? One per account that matters. The average person has 70–80 online accounts, according to password manager usage studies. That number grows over time. A password manager handles this at no cognitive cost — you remember one master password and the manager remembers everything else. Start by generating unique passwords for your highest-priority accounts: email, banking, work systems, social media, and your password manager itself.

When should I use the password generator vs. creating a password myself? Use the Secure Password Generator for every account where the password will be stored in a manager — which should be almost all of them. Human-created passwords follow patterns that reduce effective entropy. The generator produces genuinely unpredictable output. The only exception: your password manager master password, which you must memorize — use a 6-word random passphrase for that one, generated by a passphrase tool rather than trying to create it yourself.

Use the Free Secure Password Generator

The Free Secure Password Generator at RoughTools generates cryptographically random passwords to any specification — choose your length (up to 64 characters), select which character types to include, and get a new random password instantly. It runs entirely in your browser using the Web Crypto API, so no password is ever sent to a server. Generate multiple options, copy to clipboard, and store in your password manager. No account needed, no data logged, completely free.

Free Secure Password Generator →

You might also need:

• Password Strength Checker — evaluate the entropy and weakness of any existing password
• Hash Generator — generate MD5, SHA-1, SHA-256, and other hashes for data verification
• VPN Checker — verify whether your connection is routed through a VPN before logging in
• SSL Checker — verify that a website's SSL certificate is valid before entering credentials