Tech Tips
How to Generate a Strong Password (2026 Security Rules)
The password rules you learned in 2015 are wrong in 2026. Here's what actually makes a password uncrackable now, and how to generate one in 5 seconds.
What "strong" means today
Modern attackers don't guess passwords by hand — they use GPU clusters that try billions of combinations per second. Against that, the only defense that matters is length + randomness.
Old rule: "8 characters with an uppercase, number, and symbol" — cracked in under a day.
New rule: 16+ random characters (or a 5+ word passphrase) — cracked in longer than the age of the universe.
The two winning strategies
Strategy 1: Random characters (best for password managers)
`Xk9#mP2$vL8@qR4!`
- 16 characters minimum, 20+ ideal
- Mix upper, lower, numbers, symbols
- No dictionary words, no personal info
- Different for every site
Strategy 2: Passphrase (best for the few you must memorize)
`correct-horse-battery-staple-purple`
- 5+ random dictionary words separated by hyphens or spaces
- Randomly chosen, not a sentence you invented (sentences follow grammar patterns attackers exploit)
- Easy to type, easy to remember, brutally hard to crack
Both are secure. Random-character wins if you use a manager (you should). Passphrase wins for your master password and the 2-3 you might type from memory.
Generate one in 5 seconds
Use the [ToolsHive password generator](/developer-tools/password-generator):
1. Set length to 20
2. Include uppercase, lowercase, numbers, symbols
3. Click Generate
4. Copy → paste into your password manager
Everything runs in your browser — the generated password never touches a server.
What NOT to include
- Your name, birthday, pet's name, address — attackers scrape social media
- Common patterns: `Password1!`, `Qwerty123`, `MyName2026` — all in the top 100k leaked passwords
- Sequential characters (`abcdef`, `123456`)
- Personal words even if "clever": `MikeLovesPizza` — cracked in minutes
The rules that no longer apply
- "Change password every 90 days" — NIST officially retracted this in 2017. Forced changes lead to weaker passwords (Password1 → Password2). Only change if breached.
- "Must include a symbol" — length dominates. A 20-char lowercase password beats a 10-char mixed one.
- "Never write it down" — writing it in a locked notebook at home is safer than reusing one you can memorize.
The one rule that overrides everything
Use a password manager. Bitwarden (free), 1Password, or Apple/Google Passwords built into your device. Store a unique 20-char random password for every site. You only need to remember one master passphrase.
Without a manager, you'll inevitably reuse passwords. One breach then compromises every account.
Two-factor authentication (2FA)
Even the strongest password is one breach away from being useless. Turn on 2FA for:
- Email (this is #1 — email resets everything else)
- Bank / financial accounts
- Cloud storage (Google Drive, iCloud, Dropbox)
- Social media
- Password manager itself
Use an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey), not SMS — SMS 2FA can be intercepted via SIM swap.
The 3-minute security setup
1. Install Bitwarden (free)
2. Generate a strong master passphrase using [our tool](/developer-tools/password-generator)
3. Turn on 2FA on email and bank
4. Let Bitwarden generate + save new passwords as you log in over the next few weeks
Try the [strong password generator](/developer-tools/password-generator) — free, no signup, runs in your browser.
5 min read
More Tech Tips guides
10 Ways to Speed Up a Slow Laptop (Without Buying a New One)
Free, safe fixes that reliably bring old Windows and Mac laptops back to life.
The Best Free AI Tools in 2026 (Actually Useful, Not Hype)
Free AI tools worth adding to your workflow this year — writing, images, coding, research.
20 ChatGPT Prompts That Save Hours Every Week
Copy-paste prompts for email, planning, learning, coding, and content — with why each one works.