Choosing a strong password

Strong passwords should be long and complex. Use the entire keyboard, incorporating numbers, symbols (!£$%^&#@), and both lowercase and uppercase letters. The longer, the better. A minimum of eight characters is recommended. Do not use personal information like a dog’s name or graduation year. Do not make your password identical to your username or email.

Using a password manager

All of your passwords should be different so that if one is leaked to a hacker, it can’t be used across all of your accounts. Passwords should also be regularly changed. Companies might not inform users of data breaches, and leaked passwords might not be used for long periods of time by hackers. Memorizing all of your newest passwords can be difficult, so we recommend the user of a password manager. A password manager stores all of your accounts’ passwords into a single app or browser extension and can input them automatically when you log in. You only need remember a single master password to access them.

Dangers of weak passwords

Weak passwords can allow intruders into your account. They can hijack email and social media accounts and use them as spam bots. They can steal private information, possibly leading to identity theft. Passwords that aren’t long and complex are vulnerable to “brute force” attacks, which guess every possible combination of characters until they happen across the correct one. Typically, they try combinations of lowercase characters first. Passwords that contain personal info (birth year, favorite sports team) are easier for hackers to guess.

Predictable sequences and the limitations of password strength tools

While this tools identifies many of the most common passwords, it cannot account for for all passwords and the wide range of tools hackers can use to crack them. Using predictable sequences of characters or other non-random sequences will make a password significantly more easy to break and not every such sequence will be picked up by this tool. It is designed for educational purposes only and we cannot guarantee its accuracy.

As an example, advanced password crackers can predict punctuation and capitalization patterns that are not tested for here. Avoid using predictable alterations of dictionary words, for instance, substituting 4 for A or $ for S. These patterns are reflected in the increasingly sophisticated rulesets, dictionaries, and combinations used by modern hackers, as well as the growing number of leaked and cracked password lists.

Why you need strong, unique passwords

Strong and varied passwords are the best defense against hackers and other unauthorized users attempting to gain access to your online accounts. Hackers can use sophisticated tools to guess at probable combinations of characters to crack a password.

In the past, where "brute forcing" a password simply meant attempting every possible combination of letters and numbers until the software happened upon the correct sequence. That took a lot of time and computing power, making it worthwhile for hackers to only crack the simplest and shortest passwords.

Nowadays, however, password cracking software is much more advanced. It significantly narrows down possible alphanumeric combinations by analyzing and inputting common patterns, saving hackers time and resources. Advanced password crackers can predict punctuation and capitalization patterns based on always-improving rulesets, dictionaries, and the growing number of leaked and cracked password lists.

How to make strong passwords

To combat these advancements, today's passwords need the following traits:

  • At least 12 characters long is recommended, 8 at the minimum
  • A combination of both upper- and lower-case letters, numbers, and symbols
  • Random enough that they do not contain any predictable sequence

This tool accomplishes all of the above in one easy step. You may generate as many passwords as you like.

And most likely, you'll need several. Experts recommend a unique password for every account. Even if you have a strong password, it could still be leaked to hackers in a breach unbeknownst to you. If you use the same password across multiple accounts, all of those accounts would then be at risk.

Password managers

Memorizing all of those passwords is a tall order. If you struggle to remember all of them, try using a password manager. A password manager is a piece of software, usually an app or browser extension, that securely stores all of your passwords in an encrypted format. Whenever you need to log into a website, you just need to enter a single master password, and the password manager will input the appropriate stored password on your behalf.

2SV and 2FA

Finally, we encourage you to enable two-step verification (2SV) or two-factor authentication (2FA) on all accounts that support them. These security measures require anyone logging into one of your accounts from a new or unfamiliar device to verify their identity through some alternative means. Two-step verification typically involves sending a one-use expiring PIN code to your email, SMS, or authentication app (Google Authenticator, Authy, et al). 2FA includes technologies like smart cards, Yubikeys, and biometric scans.

Read more: What is two factor authentication

More info about this tool

Our password creator is implemented entirely in client-side Javascript, and the whole password generation process takes place on your browser. We do not store anything and no data is transmitted over the internet.

All of the code used to build the password creator is our own, and the password checker is based on open-source code. Choosing characters is done via the Math.random() Javascript method. If too few numbers or symbols are present in the password variant, the Math.random method is used again to pick a numeric character to replace a non-numeric character in the password, and then the password characters are shuffled again using an algorithm based on Math.random. This process is repeated for symbols.

For passwords of at least 12 characters: Once the password string is obtained, a strength check is performed. If the check does not return a score of 100, the password is regenerated and checked again until a strength score of 100% is reached.

The 100% strength check is not enforced if the sum of the minimum number of symbols and the minimum number of digits equals the configured password length. For passwords under 12 characters, the strength score will be lower, and two passwords of the same length can have different strength scores.

The user may set the minimum number of numeric characters that should be present in the password. Be wary of setting this too high, however, as a password that contains too many numbers will actually make it weaker. Users can also check the box to remove ambiguous characters, which in certain fonts may look alike. These include: B8G6I1lO0QDS5Z2.

We remind users that hackers can get lucky and guess even the strongest of passwords. We make no guarantee that the passwords this tool generates will never be cracked.