RUNWEBTOOLS
English
Security & Privacy

How to Create and Manage Strong Passwords

Updated 2026-07-06

Almost everyone knows they should use strong passwords, yet the most common ones are still 123456 and password. Part of the problem is bad advice: for years we were told to use a short jumble of symbols and change it every month, which turns out to be both hard to remember and not especially secure. This guide explains what actually makes a password strong and how to manage passwords without losing your mind.

What makes a password strong

A password is strong when it's hard to guess and hard to brute-force — when there are so many possibilities that trying them all is impractical. Two things drive that: length and unpredictability.

Length beats complexity

Each extra character multiplies the number of possible passwords, so length is the single most powerful factor. A long passphrase of ordinary words is far stronger than a short cryptic string — and much easier to remember:

Weaker:   P@ss1!        (8 chars, looks "complex")
Stronger: correct-horse-battery-staple   (long)

The reason the cryptic one is weaker is that attackers know all the usual tricks — swapping a for @, adding 1! at the end — and their software tries those patterns first. Raw length beats predictable substitutions.

Unpredictability (entropy)

The other half is randomness. A password built from a genuinely random mix of characters or randomly chosen words has high entropy— a measure of how unpredictable it is. Anything based on personal details (your name, birthday, pet, favorite team) has low entropy because it's guessable, even if it looks messy.

How attackers actually crack passwords

Understanding the threat helps the advice make sense:

  • Credential stuffing — when one site is breached, attackers try the leaked email/password pairs on every other site. This is why reusing passwords is so dangerous.
  • Dictionary attacks — trying lists of common passwords and words, including the predictable substitutions above.
  • Brute force — trying every combination. Length is what makes this hopeless for the attacker.

The three rules that matter most

  1. Make them long — aim for 16+ characters or a multi-word passphrase.
  2. Make each one unique— never reuse a password across sites, so one breach can't unlock the rest.
  3. Make them random— don't base them on anything about you.

A quick way to generate one that satisfies all three is our password generator: it creates strong random passwords entirely in your browser (nothing is sent anywhere), and lets you tune length and character types. For machine-to-machine secrets like API keys, a random string generator does the same job.

How to remember all of them: don't

The rules above are impossible to follow by memory across dozens of accounts — which is exactly why people reuse passwords. The answer is to stop trying to remember them:

  • Use a password manager. It generates, stores, and fills a unique strong password for every site, and you only remember one strong master password.
  • Turn on two-factor authentication (2FA). Even if a password leaks, a second factor (an app code or hardware key) stops an attacker from logging in. Enable it everywhere that offers it, especially email and banking.
  • Protect your email above all. Your email account can reset most of your other passwords, so it deserves your longest unique password and 2FA.

What you can stop doing

Modern security guidance (including from NIST) has dropped two old habits: forced periodic changes (they push people toward weak, predictable variations) and required symbol/number rules as a substitute for length. Change a password when there's a reason to — a breach, a shared device — not on a calendar. Focus your energy on length, uniqueness, and a password manager, and you'll be ahead of the overwhelming majority of accounts online.

More in Security & Privacy

See all Security & Privacy guides →

Tools mentioned in this guide