← All posts

How to Make a Strong Password (and Why Length Beats Symbols)

2026-05-29

Short answer: A strong password is a long, random one — length matters far more than cramming in symbols. The fastest private way to make one is ToolKoala's password generator, which builds it right in your browser so the password is never sent anywhere. For something you'll type by hand, a passphrase of 4+ random words is both strong and memorable.

Why length beats symbol-soup

The thing that actually makes a password hard to crack is entropy — a fancy word for "how many guesses an attacker has to try." Every extra character multiplies the number of possibilities, so length adds entropy fast.

Here's the uncomfortable truth: P@ssw0rd! looks clever but it's weak. Attackers know all the substitution tricks (a→@, o→0, s→$), and "password" is at the top of every cracking dictionary. Adding a symbol and a capital to a common word barely slows anyone down.

Compare that to four random words: velvet-anchor-puzzle-stove. It's longer, it has no dictionary phrase in it, and it's actually easier to remember. That's the whole game — randomness times length.

A quick rule of thumb:

  1. 12 characters is the floor for anything that matters.
  2. 16+ characters for important accounts (email, bank, password manager).
  3. A 4-word passphrase (5 words for the paranoid) when you have to type it often.

How to generate one (privately)

  1. Open ToolKoala's password generator.
  2. Pick a length — slide it to 16 or more for the random-string style.
  3. Or switch to passphrase mode for 4–5 random words.
  4. Copy it, paste it straight into the signup field, and store it (more on that below).

The generator runs entirely in your browser. There's no server call — you can open DevTools, watch the Network tab, and confirm nothing leaves your machine while it generates. That matters: a password you fetched from someone else's server is a password someone else's server has seen.

Honest alternatives and the storage catch

You don't strictly need a tool. Your browser (Chrome, Safari, Firefox) will suggest and save random passwords for free, and that's genuinely fine for most people. Dedicated password managers do it better:

  • Bitwarden — free tier is generous, open-source, syncs everywhere.
  • 1Password — ~$3/month, polished, great for families.
  • KeePassXC — free, fully offline, you own the file.

You can also roll dice with the EFF word list (search "diceware") — slow but charmingly tamper-proof.

Here's the part nobody likes to say out loud: a generated password is only as safe as where you store it. A perfect 20-character random string written on a sticky note, or reused across ten sites, is worse than a mediocre password kept in a real manager. Generate it, store it in a manager, never reuse it, and turn on two-factor authentication. The generator is one link in the chain — not the whole chain.

FAQ

How long should a password be in 2026? At least 12 characters, 16+ for anything important. Length buys you exponentially more protection than swapping letters for symbols.

Are passphrases really as safe as random passwords? Yes, if the words are truly random and you use four or more. correct-horse-battery-staple style works because the randomness, not the cleverness, is doing the work.

Is it safe to use an online password generator? Only if it generates locally in your browser, like ToolKoala's does — you can verify in DevTools that nothing is sent. Avoid any generator that round-trips to a server.

Do I still need a password manager if I generate strong passwords? Pretty much, yes. A strong password you can't remember is useless unless something stores it safely. Bitwarden's free tier is a fine place to start.

— Milo 🐨