How to Create a Strong Password
Current practical guidance on password length, uniqueness, password managers and multi-factor authentication.
Ready to use the tool? Try the free ToolBullet Password Generator — instant results, no sign up required.
Prioritise length, uniqueness and unpredictability
For a password used as the only authentication factor, NIST SP 800-63B-4 requires verifiers to set a minimum of at least 15 characters. When a password is used only as part of multi-factor authentication, the minimum may be at least eight. Services should permit at least 64 characters and should not impose mandatory mixtures of character types.
Use a password manager
A reputable password manager can generate and store a different random password for every account. Uniqueness matters because one breached password should not unlock other services. Do not make predictable variations of the same base password.
Use multi-factor authentication
MFA adds a separate barrier if a password is stolen. Prefer phishing-resistant options such as passkeys or hardware-backed security keys where supported; otherwise use the strongest option the service offers.
Generated passwords and passphrases
ToolBullet’s Password Generator uses browser cryptographic randomness and computes the search space for its selected character sets. Its Passphrase Generator selects independently from the EFF 7,776-word list. Search-space estimates assume the generated output is not predictably edited or reused.
Do not rely on a strength meter alone
A meter cannot know whether a password has been reused, leaked, based on personal information or captured by malware. ToolBullet’s tester is deliberately labelled as a heuristic and its search-space and crack-time values are upper-bound illustrations.
Sources and further reading
NIST SP 800-63B-4, UK NCSC three random words guidance, and EFF Dice-Generated Passphrases. Sources reviewed 23 June 2026.