Strong Password Generator: How to Create Uncrackable Passwords in 2026
Kordu Team · 2026-03-31
Key Takeaways
- Use at least 16 characters. A random 8-character password falls to a single GPU in about 22 minutes.
- Passphrases (4-6 random words) are easier to remember and often stronger than short complex passwords.
- Password reuse is the biggest risk. One breach compromises every account sharing that password.
- Enable two-factor authentication everywhere -- it is your best defence even if a password leaks.
The Numbers Are Brutal
A random 8-character password using uppercase, lowercase, and digits has about 218 trillion combinations. A single RTX 4090 running hashcat cracks MD5 hashes at roughly 165 billion per second. Your 8-character password lasts about 22 minutes.
Bump to 16 characters: 47.6 sextillion combinations. Same GPU, roughly 9,000 years. Length is everything.
Over 5 billion compromised credentials circulate on the dark web (SpyCloud, Have I Been Pwned). If you have been online for more than a few years, at least one of your passwords has been exposed. Attackers do not guess one character at a time — modern cracking rigs test billions of hashes per second against weak algorithms.
Generate a Strong Password
Cryptographically random passwords and passphrases, generated locally in your browser using the Web Crypto API. Nothing is transmitted or stored.
What Makes a Password Strong
Password strength is entropy — the measure of unpredictability, in bits. Higher entropy = more combinations to try.
| Password Type | Example | Approx. Entropy | Crack Time (MD5, 1 GPU) |
|---|---|---|---|
| Common word | password123 | ~20 bits | Instant (in every dictionary) |
| 8 chars, mixed case + digits | kR7mPx2n | ~48 bits | ~22 minutes |
| 12 chars, mixed + symbols | kR7$mPx2n!qL | ~79 bits | ~centuries |
| 16 chars, mixed + symbols | kR7$mPx2n!qL#9wB | ~105 bits | ~heat death of universe |
| 4-word passphrase | correct horse battery staple | ~55 bits | ~5 years |
| 6-word passphrase | timber clock prism wander olive ghost | ~78 bits | ~centuries |
Three factors:
Length matters most. A 16-character password is not twice as strong as 8 characters — it is billions of times stronger. Every character multiplies the search space exponentially.
Randomness kills shortcuts. Humans capitalise the first letter, put numbers at the end, substitute @ for a. Attackers know all of this and try those patterns first. True random generation eliminates the shortcuts.
Character diversity helps, but less than you think. A 20-character lowercase-only password is stronger than an 8-character password with every character type.
Reuse is the real killer
A 32-character random password is worthless if you use it on multiple sites. When one service gets breached, attackers try the same credentials on banking, email, and social media within minutes using automated credential-stuffing tools.
Passwords vs Passphrases
A passphrase is 4-6 randomly selected words, like “timber clock prism wander.” The XKCD #936 argument: “correct horse battery staple” is both more memorable and harder to crack than “Tr0ub4dor&3.”
Passphrases win on: memorability, mobile typing, and avoiding character restrictions on poorly designed login forms. Each random word from a 7,776-word EFF dice list adds ~12-13 bits of entropy.
Passphrases lose on: length (slower to type than a shorter random string) and some services that impose frustrating 16-20 character caps.
A 6-word passphrase provides ~78 bits of entropy — comparable to a 12-character random password with mixed characters. For most people, that is more than enough.
Use random character passwords for high-security accounts (email, banking, password manager master password). Use passphrases for things you occasionally type manually.
Check If You Have Been Breached
Our breach checker queries Have I Been Pwned using k-anonymity — only the first 5 characters of a SHA-1 hash are sent, so your full password never leaves your browser.
Password Breach Checker
Check if a password has appeared in known data breaches using k-anonymity.
If it finds a match: change that password immediately on every service where you used it, and set up two-factor authentication.
The Security Checklist
Use a password manager
A password manager generates, stores, and auto-fills unique random passwords for every account. You memorise one strong master passphrase. Good options: Bitwarden (open source, free tier), 1Password, KeePassXC (offline, open source).
Your master password should be your strongest — a 5-6 word randomly generated passphrase that you have memorised. Never store it digitally.
Enable two-factor authentication
2FA adds a second verification step. Even with your password, an attacker cannot get in without the second factor. Methods ranked best to worst:
- Hardware security keys (YubiKey, Titan) — phishing-resistant, fastest to use
- Authenticator apps (Aegis, Raivo, Google Authenticator) — TOTP codes that change every 30 seconds
- Push notifications (Duo, Microsoft Authenticator) — convenient but susceptible to MFA fatigue attacks
- SMS codes — better than nothing, but vulnerable to SIM-swapping
Enable 2FA on your email first. Email is the recovery mechanism for almost every other account — if an attacker controls your email, they control everything.
Stop rotating passwords on a schedule
NIST (SP 800-63B) and the UK’s NCSC have both retired the “change every 90 days” advice. Forced rotation leads to weaker passwords (people just increment a number). Change passwords only when you have reason to believe they are compromised.
Automate breach monitoring
Register your email addresses with Have I Been Pwned’s notification service. You get an alert when your address appears in a new breach — far better than discovering it months later by accident.
Recognise phishing
The strongest password is useless if you type it into a fake login page. Before entering credentials: verify the domain exactly (watch for paypa1.com), confirm HTTPS, and navigate to the site yourself rather than clicking email links.
Hardware security keys are the best anti-phishing measure — they cryptographically verify the domain and refuse to authenticate on fake sites.
Four Steps, Done
Generate unique random passwords for every account. Store them in a password manager. Enable 2FA everywhere. Monitor for breaches. These four habits make you dramatically harder to compromise than the vast majority of internet users.