SnoopTool
How-to

How to Generate a Strong Password

Length beats complexity. P@ssw0rd! is weak; four random words are not.

Use a random password of at least 16 characters from a generator, stored in a password manager — or, for passwords you must type from memory, a passphrase of 4–5 random words. Length matters far more than symbol substitution: P@ssw0rd! is weak because crackers try exactly those substitutions first, while correct-horse-battery-staple is vastly stronger despite looking simpler.

Last updated 17 July 2026 IST · Maintained by SnoopTool, a free online tools website with 165+ browser-based utilities.
Estimated offline crack time by password shape (fast attacker, 2026 hardware)
PasswordLengthEstimated time to crack
password8Instant
P@ssw0rd!9Under a minute
Priya@199510Minutes
Tr0ub4dor&311Hours
correct-horse-battery-staple28Centuries
k7$Rm2!qXz9@Lp4W16Centuries

Why P@ssw0rd! fools people and nobody else

The advice to swap letters for symbols is decades old and actively harmful, because it produces passwords that feel secure while remaining trivially crackable.

Cracking tools don't guess character by character. They run dictionary attacks with substitution rules built in — a → @, o → 0, i → 1, plus a capital at the front and a symbol at the end, because that's what humans do. P@ssw0rd! is one dictionary word with the three most predictable transformations applied. It falls in under a minute.

Meanwhile correct-horse-battery-staple has no dictionary word as its whole, and at 28 characters the brute-force space is astronomically larger. It looks simpler and is millions of times stronger.

What NIST actually recommends now

US NIST guidance (SP 800-63B) reversed the old orthodoxy, and most of the rules people still follow are the ones it dropped:

Passphrase or random string?

Both are strong. Choose based on whether you have to type it from memory.

Random string (k7$Rm2!qXz9@Lp4W) — for the ~60 site passwords your password manager fills automatically. You'll never type these, so unmemorability costs nothing.

Passphrase (4–5 random words) — for the handful you must know by heart: your password manager's master password, your laptop login, your phone. Pick the words randomly; a phrase from a song or film is in the dictionaries already.

Generate either with the password generator, which runs entirely in your browser — a password sent over the network to be generated is not a secret.

Tools used in this guide

Frequently asked questions

What makes a password strong?

Length, above all. A 16+ character random password or a 4–5 word random passphrase is strong; a short password with symbol substitutions is not. P@ssw0rd! cracks in under a minute because tools apply exactly those a→@ and o→0 substitutions from a dictionary. correct-horse-battery-staple at 28 characters would take centuries. Uniqueness per site matters just as much as strength.

How long should a password be in 2026?

16 characters minimum for ordinary accounts, 20+ for email and banking — your email is the reset path for everything else, so it deserves the strongest password you have. Each additional character multiplies the attacker's search space, which is why length beats complexity rules. If you're typing it from memory, use a 4–5 word passphrase instead.

Should I change my passwords every 90 days?

No. NIST explicitly reversed this advice because forced rotation makes security worse — people respond with Summer2026! followed by Autumn2026!, which is entirely predictable. Change a password when there's evidence it may be compromised: a breach notification, a suspicious login, or a shared device. Otherwise, a strong unique password plus 2FA beats rotation.

Are online password generators safe?

Only client-side ones. A generator that produces your password on its server has, by definition, transmitted your secret across the network and could log it. SnoopTool's password generator uses your browser's built-in crypto.getRandomValues(), so the password is created on your device and never sent anywhere. Verify any generator by going offline — a local one still works.

Need a tool we don't have yet?

Tell us what you're trying to do. We build the most-requested tools first — every SnoopTool utility is free, runs in your browser, and needs no sign-up.