Length Is the Most Important Factor
Research consistently shows that password length matters more than complexity. A 16-character password made of random characters is far harder to brute-force than an 8-character one full of symbols. Every additional character multiplies the number of possible combinations exponentially, making longer passwords dramatically more secure.
Use True Randomness, Not Patterns
Human brains are terrible at generating randomness. We unconsciously reuse patterns, birth years, and dictionary words even when we think we're being random. A cryptographic random generator — like the one in your browser's Web Crypto API — produces genuinely unpredictable output that no attacker can guess or model.
Mix Character Types Strategically
Including uppercase letters, lowercase letters, numbers, and special characters significantly increases the character space your password draws from. A password using all four types has a search space orders of magnitude larger than one using only lowercase letters. However, don't replace letters with predictable substitutions like @ for 'a' — attackers know those tricks.
Never Reuse Passwords Across Sites
A strong password used on multiple sites is still a vulnerability. If any one of those sites suffers a data breach, attackers will try your leaked credentials on every other service — a technique called credential stuffing. Each account deserves its own unique, randomly generated password.
Creating strong passwords doesn't have to be complicated. Use a browser-based generator that leverages cryptographic randomness, aim for at least 16 characters, and store the results in a reputable password manager.