Here's a hot take: your password is probably terrible. Not because you're lazy — because the advice you've been given for years is wrong. "Use a capital letter, a number, and a symbol!" Great, so now everyone types "Password1!" and calls it a day.
The real question isn't whether your password has a special character. It's how long it would take someone (or a machine) to guess it. And for most people, the answer is: not nearly long enough.
Why most passwords fail
Attackers don't sit at a keyboard typing guesses one by one. They run automated tools that try millions of combinations per second. These tools are smart, too. They start with the obvious stuff:
- Every word in the dictionary, plus common misspellings
- Names, dates, and pet names scraped from social media
- Keyboard patterns like "qwerty" and "1qaz2wsx"
- Billions of real passwords from previous data breaches
So when you pick "Bella2024" or "Sunshine!" as your password, you're not being creative. You're picking something an attacker's script already has in its list.
And those "clever" letter substitutions? Swapping 'a' for '@' or 'e' for '3'? Attackers figured that out ages ago. "P@ssw0rd" cracks just as fast as "Password."
How long should a strong password be?
Length matters more than anything else. Every extra character multiplies the possible combinations exponentially.
- 8 characters: Around 200 billion combinations. Crackable in minutes with modern GPUs.
- 12 characters: About 3 sextillion combinations. That buys you centuries.
- 16 characters: Roughly 1 undecillion combinations. Nobody's cracking that.
If you take away one thing from this post, make it this: your passwords should be at least 12 characters, and 16 or more is better. Character variety helps too — mixing uppercase, lowercase, numbers, and symbols pushes the number of possible characters per position from 26 to 95. But length always wins.
Three ways to create a strong password
1. Use a random generator (the strongest option)
A computer picking truly random characters will always beat a human trying to be clever. Head over to the String Generator on ToolsJam, set the length to 16+, enable uppercase, lowercase, numbers, and symbols, and hit generate. You'll get something like:
Kx9#mP2$vQ7nL5@w
Nobody's memorizing that. And that's fine — because you shouldn't be memorizing individual passwords anyway. This method pairs perfectly with a password manager (we'll get to that).
2. Build a passphrase (strong and memorable)
A passphrase strings together 4-6 random words into something your brain can actually hold onto. Think:
maple quantum blanket river
Four truly random words give you roughly 65 bits of entropy — equivalent to a 10-character random password, and way easier to remember. The trick is randomness. Don't pick words that form a sentence. Don't use a famous quote or song lyric. Grab words at random from a dictionary or word list.
Need to satisfy a site's character requirements? Toss in a number and symbol:
maple 7 quantum blanket !river
Still memorable. Still strong.
3. The sentence trick (a decent compromise)
Pick a sentence you won't forget: "My first apartment was on 5th street in Brooklyn." Take the first letter of each word: MfaWo5siB. Add a symbol and some length: MfaWo5siB!2026.
This is weaker than the other two methods because it follows a pattern a determined attacker could potentially guess. But it's miles ahead of "Brooklyn2024" and you'll actually use it — which matters more than theoretical perfection.
Is a passphrase better than a random password?
For pure security, a long random string wins. For something you need to type from memory — like a master password or a laptop login — a passphrase is the better pick. A 5-word passphrase is easy to remember and very strong. Just stay away from common phrases, quotes, or anything someone could find on your social media.
In practice, you'll use both. Random strings for the hundreds of accounts your password manager handles. A passphrase for the one password you actually need to know.
You should use a password manager
I'll be direct: if you aren't using a password manager, start today. I get the hesitation — "all my eggs in one basket" feels risky. But the alternative is reusing the same mediocre password across dozens of sites, which is far worse.
Here's what a password manager does for you:
- Generates a unique, long, random password for every single account
- Auto-fills credentials so you never type them
- Stores everything encrypted behind one master password
- Syncs across your phone, laptop, and tablet
Your master password is the only one you memorize. Make it a strong passphrase — something like the examples above. Everything else gets generated by the manager.
Good options: Bitwarden (free and open source), 1Password, or the built-in manager in Chrome, Firefox, or Safari. Any of these beats the "reuse one password everywhere" strategy.
Mistakes that feel safe but aren't
Reusing passwords across sites. When one site gets breached — and breaches happen constantly — attackers take your email and password and try it on every other major service. One leaked password can unravel your email, bank, and social media in minutes. It's called credential stuffing, and it's the number one way accounts get taken over.
Appending "123" or "!" to a weak password. The most common modification is tacking numbers or a single symbol onto the end. Attackers know this. Their tools try it automatically. "MyPassword!" is barely harder to guess than "MyPassword."
Changing passwords every 90 days. This old corporate advice actually backfires. People forced into frequent changes fall into patterns: "Spring2026!", "Summer2026!", "Fall2026!". NIST — the U.S. government's standards body — now recommends against mandatory rotation. Change your password when you suspect it's been exposed, not on a calendar.
Check if you've already been exposed
Before you set up a new password, check whether your current credentials have leaked. The site Have I Been Pwned (haveibeenpwned.com) lets you search your email address against known breaches. If you show up — and most people do — change that password immediately, along with any other account where you reused it.
Your action plan
You don't need to overhaul everything in one sitting. Here's a realistic timeline:
- Today: Pick a strong master passphrase and set up a password manager.
- This week: Use the String Generator to create unique passwords for your email, bank, and primary social media accounts. These are the ones that hurt most if compromised.
- Over the next month: Work through the rest of your accounts, replacing reused passwords with generated ones.
- Going forward: Let your password manager generate a fresh password every time you create a new account.
That's the whole system. One strong passphrase you remember, a password manager for everything else, and a random string generator whenever you need something bulletproof. Set it up once and you're covered for years.