You know you should use stronger passwords. Everyone knows. Then a service makes you create one and you reach for "MyName2024!" because it has uppercase, lowercase, a number, and a symbol — and that is what the form told you was a "strong" password.
It is not a strong password. This guide explains what actually makes a password resistant to attack, why length beats complexity, how to generate genuinely strong passwords in seconds, and what habits to avoid.
Password strength is measured by how hard it would be to guess through brute-force attack — trying every possible combination until one works. The metric is called entropy, measured in bits. Each bit doubles the number of guesses required.
To resist modern brute-force tools running on cloud GPUs, your password needs at least 80 bits of entropy. To resist nation-state attackers with practically unlimited resources, you want 100+ bits. Here is how different password styles compare:
The first two passwords feel "secure" because they include uppercase, lowercase, numbers, and symbols. They are not. The attacker's dictionary already includes every variation of "Password" with common substitutions.
Each additional character increases entropy more than adding character types does. Going from a 12-character password to a 16-character password roughly doubles the attack time, while adding a symbol to an 8-character password barely makes a dent.
The practical implication: a 20-character password using only lowercase letters is stronger than a 10-character password with uppercase, lowercase, numbers, and symbols. The XKCD "correct horse battery staple" comic from 2011 made this point famous, and the math behind it is still correct.
The strongest passwords combine both: 20+ characters with multiple character types. Memorisable phrases work well as passphrases — for example, four random words like "violet-thunder-coffee-banjo" gives ~50 bits and is easy to type.
The truth is you should not be memorising passwords at all. The reason "MyName2024!" gets reused across accounts is that no human can remember 80 different 16-character random strings. Password managers exist specifically to solve this:
You memorise one master password (a long passphrase you can remember) and let the manager handle everything else. Every account gets a different randomly-generated password. If one site is breached, the damage stops there.
Criply's free password generator uses the Web Crypto API (crypto.getRandomValues) — the same cryptographically secure random number generator used by professional password managers. To use it:
Generate one password per account — never reuse. The generator runs in your browser and stores nothing.
Five habits that destroy password security:
1. Reusing passwords across sites. When one site is breached (and dozens are every year), attackers test the leaked passwords against every major service. Unique passwords stop this entirely.
2. Using personal information. Pet names, birthdays, family names, sports teams — all in attacker dictionaries. Anything someone could learn from your social media profile is unsafe.
3. Substituting numbers for letters and calling it strong. "P@ssw0rd" is in every cracking dictionary. Attackers tried it before they tried "password".
4. Storing passwords in plain text. Browser bookmarks, sticky notes, plain text files, email drafts — all bad. Use a password manager. The built-in browser one is free and far better than nothing.
5. Sharing passwords via email or SMS. Use a password manager's built-in sharing feature, or services like 1Password's Shared Vaults. Email is permanent and unencrypted at rest.
How long should my password be?
16 characters minimum for routine accounts. 24+ for email, banking, and password manager master passwords. Length matters more than complexity.
Should I change my passwords regularly?
No — this is outdated advice. Modern security guidance from NIST recommends changing a password only when there is a specific reason (a breach, suspicion of compromise). Forced regular changes lead to weaker passwords because people pick predictable variations of their previous ones.
Is two-factor authentication still important with a strong password?
Yes — possibly more important. 2FA stops account takeover even when your password is compromised (through a phishing attack, malware, or service breach). Combine a strong unique password with TOTP-based 2FA (Google Authenticator, Authy, or hardware keys for highest security).
Are passwords stored anywhere by your generator?
No. The generator runs entirely in your browser using the Web Crypto API. No password is transmitted anywhere, logged, or stored. Once you close the tab, the generated passwords are gone — copy and paste into your password manager.
Use our free Password Generator tool — works in your browser, nothing to install.
Password Generator — Free