How long should a password be to be considered secure?

Security experts recommend a minimum of 12 characters for most accounts, and 16+ characters for high-value accounts like email and banking. At 12 characters with mixed case, numbers, and symbols, there are approximately 475 quadrillion possible combinations — enough to make brute-force attacks impractical. The NIST (National Institute of Standards and Technology) recommends prioritizing length over complexity requirements.

What is a passphrase and is it more secure than a random password?

A passphrase is a sequence of 4+ random, unrelated words used as a password (e.g., "lamp-ocean-copper-bicycle"). A 4-word passphrase from a 7,776-word list (standard Diceware) has about 296 bits of entropy, which is extremely secure. Passphrases are often easier to remember than random character strings, making them ideal for passwords you need to type manually, like a computer login or password manager master password.

Is it safe to use an online password generator?

Yes, if the generator uses cryptographically secure random number generation and runs entirely in your browser without sending data to a server. ToolBox Password Generator uses the Web Crypto API (window.crypto.getRandomValues) which is cryptographically secure and runs 100% client-side. Avoid generators that require network requests or do not disclose their randomness source.

How often should I change my passwords?

Current NIST guidelines (NIST SP 800-63B, 2017) no longer recommend regular mandatory password changes, as this encourages weak password patterns (Password1 → Password2). Instead, change passwords only when there is evidence of compromise, when you have shared a password with someone who should no longer have access, or when you used the password on a site that has been breached. Check haveibeenpwned.com to see if your email appears in known data breaches.

What is credential stuffing and how do I protect against it?

Credential stuffing is an automated attack where hackers use username/password pairs from one data breach to attempt logins on other services. It works because many people reuse passwords across multiple sites. Protection: use a unique password for every account (a password manager makes this practical), enable two-factor authentication, and check haveibeenpwned.com to see if your credentials have been exposed in known breaches.

How to Create a Strong Password (and Remember It)

Practical guide to creating secure passwords that are actually difficult to crack, plus tips on managing them without losing your mind.

Why Weak Passwords Are Still a Massive Problem

Despite decades of security advice, weak passwords remain the leading cause of account breaches. The most common password in the world is still "123456", appearing in over 23 million breached accounts according to the UK National Cyber Security Centre. Attackers use automated tools that can test billions of password combinations per second using precomputed hash tables known as rainbow tables. A short, common password can be cracked in milliseconds; a strong one would take centuries even with dedicated hardware.

What Makes a Password Strong?

Length is the single most important factor. Every additional character multiplies the number of possible combinations exponentially. A 12-character password is vastly more secure than an 8-character one, even if both use uppercase letters, lowercase letters, numbers, and symbols. A 20-character password made of random words is stronger than a 10-character string of random symbols. Beyond length, avoid dictionary words, names, dates, and any information that appears in your social media profiles, attackers run "credential stuffing" attacks that incorporate personal data scraped from the internet.

The Passphrase Approach

Security researchers increasingly recommend passphrases over traditional passwords. A passphrase is a sequence of four or more random words, something like "correct-horse-battery-staple" (a famous example from XKCD). It is long enough to be cryptographically strong, yet memorable enough that you can actually type it. The key word is random: "ilovemydog" is not a good passphrase because it uses a predictable pattern. Use a random word generator to pick unrelated words, then connect them with a separator character.

Using a Password Generator

For accounts where you do not need to memorize the password, which is most accounts, a random password generator combined with a password manager is the gold standard. Our free Password Generator lets you set the exact length and character mix you want and generates a cryptographically random result instantly. All generation happens in your browser with no logging. Copy the result directly into your password manager. Aim for at least 16 characters for important accounts like email and banking.

What About Password Managers?

A password manager stores all your passwords in an encrypted vault protected by a single master password. This lets you use a different, fully random password for every account without needing to remember any of them. Popular options include Bitwarden (open source and free), 1Password, and the built-in password managers in Chrome and Safari. The master password itself should be a strong passphrase that you have memorized and never written down digitally.

Two-Factor Authentication: Your Safety Net

Even a strong password can be compromised if the service you are using gets breached and stores passwords improperly. Two-factor authentication (2FA) adds a second layer: even if an attacker has your password, they also need a code from your phone or authenticator app. Enable 2FA on every account that supports it, prioritizing email, banking, and social media. Authenticator apps like Google Authenticator or Authy are more secure than SMS-based 2FA, which can be intercepted via SIM swapping.