How many characters should a password be?

Minimum 12 for normal accounts. 16+ for primary email and financial accounts. Each extra character doubles crack time — 16 chars is already in "centuries to crack".

Are special characters required?

They expand the search space, but length matters more. A 20-char letters-and-numbers password is safer than an 8-char password with symbols. Use both when the service allows.

Can I reuse a strong password across sites?

No. When a site gets breached (and it happens) and your password hash leaks, hackers test that same password on Gmail, your bank, Netflix etc. Unique-per-service is what separates you from "all my accounts got hacked".

Are browser password managers (Chrome, Safari) safe?

They work, but are less robust than dedicated managers. If your Google account sync gets compromised, all passwords leak. Bitwarden (open-source, free) and 1Password are stronger. Consider migrating.

Should I rotate my password periodically?

No. NIST retired that recommendation in 2017. Studies showed forced rotations lead to weaker passwords (Pass1 → Pass2). Only rotate if there's a confirmed breach.

Does BlipFiles store the passwords I generate?

No. Everything is generated in your browser using crypto.getRandomValues() — nothing leaves the device. We have no way to see, save or recover any password you generate here.

Tutorial · passwordGenerator

How to create strong passwords nobody can crack

Forget "Password@123". Strong passwords today aren't the most complex for you to remember — they're the longest for a computer to test. Here's how, plus a free generator.

4 min readUpdated on April 27, 2026

16 billion credentials leaked in 2025. If your password was in any of those dumps (and it probably was), it's worthless now. It doesn't matter that you "made a strong password" — what matters is whether it shows up in a wordlist hackers use to test logins at scale. And it does.

Good news: making a password that survives both brute-force AND dictionary attacks is simple if you follow 4 rules.

Why "Password@123" isn't strong (despite the symbol)

The problem isn't the content — it's the pattern. "Password@123" has uppercase, lowercase, number and symbol. Passes any form's requirements. But it's in the top-50 most-used English passwords. Hackers test it BEFORE any brute-force. Your account falls in 0.2 seconds.

Strong password = NOT in any known wordlist + long enough that brute-force is infeasible. Visual complexity has nothing to do with it.

The 4 NIST 2026 rules

Length ≥ 12 characters. Each extra character doubles crack time. 12 chars = years. 16 chars = centuries. 8 chars = hours.
Random. Human-generated passwords follow predictable patterns (word + number + symbol at end). Use a generator.
Unique per service. Leaked on LinkedIn? Hackers try the same on your bank. If different, they stop there.
Stored in a manager. You don't need to memorize — you need 1Password, Bitwarden or KeePass to remember for you.

How long a hacker takes to crack

8 characters (letters only): instant
8 characters (mixed): 1 hour
12 characters (mixed): 200 years
16 characters (mixed): 1 trillion years
20+ characters (mixed): essentially impossible with current hardware

These assume offline brute-force (RTX 4090 cards testing 100 billion hashes/sec). Real attackers take longer thanks to rate limiting, but the margin is clear: 12+ chars is the floor, 16 is the sweet spot.

Mistakes that look smart but aren't

Swapping letters for numbers (leet speak)

"P@ssw0rd" isn't safer than "Password" — all modern wordlists test leet variants automatically. You just made it harder for yourself, easier for nobody else.

Passphrases without randomness

"I love coffee in the morning" is 28 characters but it's a common English phrase. 4-5 word phrase wordlists crack it. Passphrases work only if words are RANDOM (correct-horse-battery-staple, the XKCD classic).

Using your email password "for important stuff"

Email is the root. Whoever takes your email resets ALL other accounts (bank, social, AWS) via "forgot password". Your email password has to be the most unique and longest of all. And 2FA via authenticator app, not SMS.

What to do now

Use the generator below to create a 16+ char password with everything enabled.
Save it in your manager (1Password, Bitwarden, or your browser's).
Enable 2FA on every account that supports it — prefer authenticator app (Authy, Aegis) over SMS.
Check if your email leaked at haveibeenpwned.com. If yes, change that password EVERYWHERE you used it.

Frequently asked questions

Yes — actually safer. A password manager (1Password, Bitwarden) stores it for you and you only memorize the master password. You end up with DIFFERENT passwords for each service, all long, all unique.

More guides