Generate Strong Passwords You’ll Actually Use

What makes a password strong

Attackers try billions of guesses using leaked password lists and smart rules. Your defense is entropy—randomness from length and character variety.

• Length: exponential growth in guesses. 16 chars is dramatically stronger than 10.
• Unpredictability: avoid names, dates, lyrics, and keyboard walks like qwertyuiop.
• Uniqueness: if one site is breached, others stay safe.

Passphrases vs random strings

Passphrase (Diceware-style)

Pick 4–6 random words and separate them with a symbol or space. They’re long, high-entropy, and human-friendly.

Example:  mango*sunset*orbit*river*lantern

Great for the master password to your manager or for accounts you must type often.

Random string (generator)

Let the generator create a long mix of letters, numbers, and symbols. You’ll paste it from the manager.

Example:  7rTnW6tZJmYQw4s!cA2Vh9q^

Both are excellent. Use passphrases where you type by hand; use random strings everywhere else.

How long is “long enough”

• Everyday accounts: 16–20 characters
• Finance/admin: 20–24+ characters
• Master passphrase: 5–7 random words (with a separator)

Don’t obsess over quirky symbol rules. If a site allows, choose length + full character set and you’re golden.

# macOS/Linux (OpenSSL)
openssl rand -base64 24     # ~32 chars, safe for most sites

# macOS (pwgen installed)
pwgen -s 20 1               # 20-char secure password

Use a password manager

A manager saves unique passwords for every site, autofills them, and syncs across devices. Tips:

• Protect it with a strong master passphrase (5–7 random words).
• Enable the manager’s breach alerts and security audit to catch reused/weak passwords.
• Lock the vault on inactivity; require the master passphrase on app unlock.

Turn on 2-factor authentication (2FA)

2FA adds a second key. Even if a password leaks, the attacker still can’t log in.

1. Best: security keys (FIDO2 / WebAuthn, often called passkeys).
2. Great: authenticator apps (TOTP like Aegis, 1Password, Google Authenticator).
3. OK when nothing else: SMS codes (better than nothing, but vulnerable to SIM swap).

Rotation & breaches

• Don’t rotate just because time passed. Rotate when there’s a breach, role change, or shared secret exposure.
• Do rotate sensitive accounts yearly if policy requires it—and always after an incident.
• Use your manager’s alerts or a service that tells you if a site was compromised.

Recover safely (so you don’t get locked out)

• Store backup codes in your manager’s secure notes or an encrypted file.
• Set at least two 2FA methods (e.g., authenticator app + security key).
• Keep an up-to-date email/phone for account recovery, but don’t rely on SMS alone.

Red flags to avoid

• Reusing the same password on multiple sites.
• Using personal info (family names, pets, dates) or common patterns (Summer2025!).
• Saving passwords in plain text, notes apps, or browsers without a vault master password.
• Sharing passwords via email/DM. Use secure share features in your manager instead.

For teams & admins

• Adopt an organization password manager with shared vaults and off-boarding.
• Enforce SSO + 2FA where possible.
• Use role-based access; don’t share root credentials unless absolutely necessary (and rotate after use).

FAQ

Is a passphrase better than a random password?

Both can be extremely strong. Passphrases are easier to remember; random strings are great when your manager stores them. Choose whichever you’ll use consistently.

Do I still need 2FA if my password is very strong?

Yes. 2FA protects against phishing and database leaks. Use an authenticator app or a security key if possible.

What about passkeys?

Passkeys (WebAuthn) replace passwords with public-key crypto and are phishing-resistant. If a site supports them, enable them—they’re the future.

What if a site limits length or symbols?

Go as long as allowed and use your manager to keep it unique. If symbols are banned, increase length to compensate.