Security

Strong, memorable passwords: how to use a generator properly

Published 22 April 2026 · 6 min read

The password rules your bank gave you in 2008 are wrong. The sticky note under your keyboard is a well-known joke. The advice to change passwords every 90 days was quietly withdrawn by the NIST years ago because it was making security worse, not better. And yet here we are, still typing Summer2024! into login boxes across the internet.

This post is the shortest honest explanation of what a good password actually is, why your instincts about "complexity" are mostly wrong, and how to use a password generator without making your life unbearable.

The myth: complexity is what matters

A generation of security training taught people that a strong password mixes upper case, lower case, numbers, and symbols. P@ssw0rd! ticks all those boxes. It's also, famously, one of the first things any cracker's dictionary tries. The complexity rules turned out to be the wrong unit of measurement.

What actually matters is entropy — the total number of possibilities an attacker has to search through. You can raise entropy by adding character types, yes, but you raise it much faster by adding length. Every extra character roughly doubles the search space.

The comparison that makes it click

Short and "complex"

K9!mX$2

Long and simple

correct horse battery staple

The short one has ~46 bits of entropy. The long one has ~44 bits if the attacker knows you used common English words — but it's trivially memorable, and bumping it to five or six words pushes you past 60 bits, well beyond anything a credential-stuffing attack can handle.

The famous xkcd comic that popularised this — "correct horse battery staple" — is genuinely correct. Four random common words is stronger, more memorable, and faster to type than most "complex" passwords.

What actually makes a password strong in 2026

Modern guidance from NIST, NCSC (the UK's National Cyber Security Centre), and every serious security team converges on three rules:

Length over complexity. 14+ characters is the comfortable minimum. 20+ is better. Symbols help but don't matter as much as people think.
Unique per site. The single biggest risk isn't weak passwords, it's reused passwords. When a site gets breached, attackers try those credentials everywhere else. Unique passwords break that chain.
Generated, not invented. Human-chosen passwords cluster around predictable patterns. A generator samples the full entropy space.

Notice what's missing from that list: forced rotation. If your password is strong and unique, changing it every 90 days just trains you to pick weaker ones you can remember. Only rotate if you suspect compromise.

Two flavours of generated password

Symbol-mix (for everything you don't type manually)

For logins you access through a password manager — which should be most of them — use fully random symbol passwords. They're unreadable, unmemorable, and that's fine because you're never typing them. The computer copies and pastes.

Symbol-mix example

fT9m-p2Kq!z7X$nWv3RaHc

22 characters of mixed case, digits, and symbols. Brute force impossible, dictionary attack impossible. Stored in your manager, autofilled on the site, never seen by your eyes. A good password generator produces these with crypto.getRandomValues — the browser's cryptographically secure random source — so the output is safe for real use, not just a toy.

Passphrase (for things you type)

A handful of passwords you genuinely need to memorise: your master password for the password manager, your laptop login, your email recovery code. These need to be memorable and strong. Passphrases win.

Passphrase example

trellis sparrow mahogany clipper nine

Five random common words, total 35 characters, strength roughly equivalent to a 14-character symbol-mix. Memorable because of the mild visual imagery — trellis-sparrow is a picture you can see. Trivial to type compared to symbol-soup.

To build one, you don't actually need a dedicated tool. You can generate random words using any random word source, or pick them by shuffling — a list shuffler with a word list pasted in gives you draw-five-random-words functionality. Pair unrelated words and you're done.

How to actually use a generator day to day

The workflow is boring, which is the point:

Install a password manager. Any of the big ones: 1Password, Bitwarden, Apple Keychain, Google Password Manager. Don't overthink this.
Set one strong passphrase as your master password. Memorise it.
Every time you sign up for a new site, generate a fresh symbol-mix password and save it in the manager. Never type it; let autofill do the work.
Over the next few months, log into your frequently-used sites, change old reused passwords one at a time to new generated ones, save each in the manager.
Turn on two-factor authentication wherever it's offered. This matters more than passwords for the accounts that actually matter (email, bank, anything with payment details).

Don't do this: generate one "good" password and reuse it across sites. The point of generating is that every password is unique. Reusing even a strong password defeats the entire exercise.

FAQ that actually comes up

"Is it safe to generate passwords in a browser tool?"

Yes, provided the tool generates client-side using the browser's crypto.getRandomValues API and nothing is sent to a server. Our password generator does exactly that — the page is static HTML, the generation happens in your browser, the password never leaves your device. Open your browser dev tools and check if you don't trust us; that's the whole point of client-side tools.

"What about the sites that demand symbols but also ban certain ones?"

The frustrating reality of 2026 is that many banks and legacy systems still enforce weird rules — "must contain symbol but not &", "max length 12", "must start with a letter". A good generator lets you toggle which symbol set to include and set the exact length. Match the site's rules and move on. These restrictions are making your bank less safe, but there's nothing you can do about that one user at a time.

"Should I still change passwords regularly?"

Only when a site gets breached (enable breach alerts — most managers have them) or when you suspect a specific account is compromised. Routine rotation was retired from serious security guidance years ago.

"What if I forget my master password?"

Write it down and put it in a physical safe, or share it with a trusted person in a sealed envelope. Yes, really. The threat model for a password written in a safe in your house is "burglar who knows exactly what to look for" — vanishingly rare compared to "you forget your master password and lose everything."

Generate a password now

→ Password Generator — secure, client-side, customisable

→ List Shuffler — build a passphrase from a word list

→ Random Name Generator — quick source of memorable words

The one-sentence version

Use a password manager, generate a long unique password for every site, memorise one strong passphrase as your master, turn on two-factor for anything important, and stop rotating passwords unless something went wrong. That's the whole thing.

Everything else is noise.