Skip to main content
← All posts

Tech Tips

How to Generate a Strong Password (2026 Security Rules)

The password rules you learned in 2015 are wrong in 2026. Here's what actually makes a password uncrackable now, and how to generate one in 5 seconds.

What "strong" means today

Modern attackers don't guess passwords by hand — they use GPU clusters that try billions of combinations per second. Against that, the only defense that matters is length + randomness.

Old rule: "8 characters with an uppercase, number, and symbol" — cracked in under a day.

New rule: 16+ random characters (or a 5+ word passphrase) — cracked in longer than the age of the universe.

The two winning strategies

Strategy 1: Random characters (best for password managers)

`Xk9#mP2$vL8@qR4!`

  • 16 characters minimum, 20+ ideal
  • Mix upper, lower, numbers, symbols
  • No dictionary words, no personal info
  • Different for every site

Strategy 2: Passphrase (best for the few you must memorize)

`correct-horse-battery-staple-purple`

  • 5+ random dictionary words separated by hyphens or spaces
  • Randomly chosen, not a sentence you invented (sentences follow grammar patterns attackers exploit)
  • Easy to type, easy to remember, brutally hard to crack

Both are secure. Random-character wins if you use a manager (you should). Passphrase wins for your master password and the 2-3 you might type from memory.

Generate one in 5 seconds

Use the [ToolsHive password generator](/developer-tools/password-generator):

1. Set length to 20

2. Include uppercase, lowercase, numbers, symbols

3. Click Generate

4. Copy → paste into your password manager

Everything runs in your browser — the generated password never touches a server.

What NOT to include

  • Your name, birthday, pet's name, address — attackers scrape social media
  • Common patterns: `Password1!`, `Qwerty123`, `MyName2026` — all in the top 100k leaked passwords
  • Sequential characters (`abcdef`, `123456`)
  • Personal words even if "clever": `MikeLovesPizza` — cracked in minutes

The rules that no longer apply

  • "Change password every 90 days" — NIST officially retracted this in 2017. Forced changes lead to weaker passwords (Password1 → Password2). Only change if breached.
  • "Must include a symbol" — length dominates. A 20-char lowercase password beats a 10-char mixed one.
  • "Never write it down" — writing it in a locked notebook at home is safer than reusing one you can memorize.

The one rule that overrides everything

Use a password manager. Bitwarden (free), 1Password, or Apple/Google Passwords built into your device. Store a unique 20-char random password for every site. You only need to remember one master passphrase.

Without a manager, you'll inevitably reuse passwords. One breach then compromises every account.

Two-factor authentication (2FA)

Even the strongest password is one breach away from being useless. Turn on 2FA for:

  • Email (this is #1 — email resets everything else)
  • Bank / financial accounts
  • Cloud storage (Google Drive, iCloud, Dropbox)
  • Social media
  • Password manager itself

Use an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey), not SMS — SMS 2FA can be intercepted via SIM swap.

The 3-minute security setup

1. Install Bitwarden (free)

2. Generate a strong master passphrase using [our tool](/developer-tools/password-generator)

3. Turn on 2FA on email and bank

4. Let Bitwarden generate + save new passwords as you log in over the next few weeks

Try the [strong password generator](/developer-tools/password-generator) — free, no signup, runs in your browser.

5 min read

Try the tool now

Open the tool and put this guide into practice.

Open the tool →

More Tech Tips guides