UtilityBase logoUtilityBase

2 min read

How to Create a Strong Random Password

What actually makes a password strong, why uniqueness beats cleverness, and how local generation keeps passwords private.

The three properties that matter

Strong passwords have exactly three properties: length (each added character multiplies the search space), randomness (generated by a machine, not composed from words, dates, and substitutions humans reuse), and uniqueness (never shared between accounts). A 16-character random password with mixed character sets is beyond practical brute force.

Uniqueness deserves emphasis because it addresses the most common real attack: credential stuffing, where a password leaked from one site is tried on every other. The strongest password in the world protects nothing if it's reused on a site that gets breached.

Generating one safely

A well-built browser generator uses the Web Crypto API — the operating system's cryptographically secure random source — and runs entirely on your device, so the password never crosses a network. You can verify this property yourself: load the page, disconnect from the internet, and generate.

  1. 1Open the Password Generator.
  2. 2Set length to 16+ (20+ for high-value accounts).
  3. 3Enable all character sets; enable 'exclude ambiguous' only if you'll read the password aloud or type it from paper.
  4. 4Generate, copy, and save it directly into a password manager.

Where passphrases fit

For the handful of passwords you must memorize — a password manager's master password, disk encryption — a random passphrase of five or six words is easier to type and remember while remaining extremely strong. For everything else, random character strings stored in a manager are the practical choice.

Frequently asked questions

Are password strength meters accurate?

They're estimates of entropy, good for catching obviously weak choices. A meter can't know if a password is reused or already leaked — uniqueness is on you.

How often should I change passwords?

Current guidance: change on evidence of compromise, not on a schedule. Forced rotation nudges people toward weaker, patterned passwords.

Tools mentioned in this guide

Keep reading