How to Generate a Strong Password You'll Actually Remember

Weak passwords are the number one cause of account breaches. According to security researchers, over 80% of hacking-related data breaches involve stolen or weak credentials. The fix is simple: use a random, unique password for every account.

This guide explains what makes a password strong, how to generate one instantly, and how to manage passwords without memorizing dozens of random strings.

What makes a password strong?

A strong password has three properties:

1. Length: At least 12 characters, ideally 16 or more. Length is the single most important factor. Each additional character multiplies the number of possible combinations.

2. Randomness: No dictionary words, names, dates, or patterns. Humans are terrible at generating random strings. We default to predictable patterns like "Password1!" or "Summer2026". A computer-generated password avoids this bias.

3. Uniqueness: Every account gets its own password. If you reuse a password and one service gets breached, attackers will try that password on every other service you use. This is called credential stuffing, and it works because most people reuse passwords.

Why you should use a password generator

Your brain is not a good random number generator. When asked to create a "random" password, most people:

• Start with a common word and add numbers at the end
• Replace letters with obvious substitutions (@ for a, 3 for e)
• Use personal information (birthdays, pet names, addresses)
• Reuse the same base password with minor variations

Attackers know all of these patterns. Password cracking tools include rules that test these exact substitutions and variations. A truly random password generated by a computer has no patterns to exploit.

How to generate a strong password

Step 1: Open a password generator

Use a browser-based tool like FixTools Password Generator. Make sure the tool runs client-side (in your browser) and does not send your password to a server.

Step 2: Set your preferences

Choose the password length and character types:

• Length: 16 characters is a good default. Use 20+ for high-security accounts (banking, email, cloud storage).
• Uppercase letters (A-Z): Always include.
• Lowercase letters (a-z): Always include.
• Numbers (0-9): Include for most accounts.
• Symbols (!@#$%^&*): Include when the service allows them. Some older systems restrict which symbols are valid.

Step 3: Copy and save

Copy the generated password and save it in a password manager. Do not write it on a sticky note, email it to yourself, or save it in an unencrypted text file.

How to remember strong passwords

You do not need to memorize random passwords. Use a password manager:

• Bitwarden (free, open source): Works on every platform. Syncs across devices. The free tier is fully featured.
• 1Password (paid): Excellent user experience, family and team plans available.
• Apple Keychain (free, Apple devices): Built into macOS, iOS, and Safari. Seamless if you are in the Apple ecosystem.
• Google Password Manager (free): Built into Chrome and Android. Convenient if you use Google services.

You only need to memorize one strong master password for your password manager. Every other password is generated, stored, and auto-filled by the manager.

The math behind password strength

Password strength is measured in bits of entropy. Higher entropy means more possible combinations and longer cracking times.

A password with N possible characters and L length has N^L possible combinations:

• 8 characters, lowercase only (26^8): 209 billion combinations. Crackable in minutes.
• 12 characters, mixed case + numbers (62^12): 3.2 x 10^21 combinations. Takes years to brute-force.
• 16 characters, mixed case + numbers + symbols (95^16): 4.4 x 10^31 combinations. Takes longer than the age of the universe.

Length matters far more than complexity. A 20-character lowercase password is stronger than an 8-character password with every symbol type.

Common password mistakes

Avoid these patterns that attackers specifically target:

• Dictionary words: "sunshine", "football", "dragon" are in every cracking dictionary.
• Keyboard walks: "qwerty", "asdfgh", "zxcvbn" are among the first patterns tested.
• Leetspeak: "p@ssw0rd" and "h4ck3r" are trivially cracked. Attackers have rules for every common substitution.
• Personal info: Your name, birthday, anniversary, pet's name, or city are all findable on social media.
• Sequential numbers: "123456", "111111", "654321" are the most common passwords in every breach database.
• Short passwords: Anything under 10 characters can be brute-forced quickly with modern hardware.

When to change your password

Contrary to outdated corporate policies, you should NOT change passwords on a fixed schedule (every 30, 60, or 90 days). The National Institute of Standards and Technology (NIST) updated their guidelines in 2017 to recommend against forced rotation.

Change your password only when:

• A service notifies you of a data breach
• You suspect unauthorized access to your account
• You shared the password with someone who should no longer have access
• You discover the password was reused across multiple accounts

Two-factor authentication

A strong password is your first line of defense. Two-factor authentication (2FA) is your second. Even if someone steals your password, they cannot log in without the second factor.

Enable 2FA on every account that supports it, especially:

• Email (Gmail, Outlook, ProtonMail)
• Banking and financial services
• Cloud storage (Google Drive, Dropbox, iCloud)
• Social media (Twitter/X, Instagram, Facebook)
• Developer tools (GitHub, AWS, Vercel)

Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA, which is vulnerable to SIM swapping attacks.

Generate a password now

Ready to create a secure password? Open the FixTools Password Generator, set your preferred length and character types, and copy your new password. It takes two seconds, runs entirely in your browser, and nothing is stored or transmitted.