Password security advice has changed dramatically in the last decade. The old rules — mix of uppercase and lowercase, at least one number, at least one special character — turned out to produce passwords that were hard for humans to remember but easy for computers to crack. The new rules are simpler: longer is stronger, random is better than memorable, and you should never reuse a password across sites. The right tool makes all three effortless.
Why length beats complexity
A password's strength is measured in entropy — roughly, how many guesses an attacker would need to crack it. A 6-character password with every character type (uppercase, lowercase, number, symbol) has about 30 bits of entropy. A 16-character lowercase password has about 75 bits. The longer password is billions of times harder to crack, even though it looks 'simpler'.
Aim for at least 16 characters for important accounts (email, banking, password manager). 12 is the absolute minimum. Length is the single biggest factor in password strength — every additional character multiplies the difficulty of cracking by the size of the character set.
Why random beats memorable
Humans are bad at generating randomness. We pick patterns — 'P@ssword1!', 'Spring2024!', the names of our pets with a number after. Attackers know this and prioritize these patterns in their cracking dictionaries. A truly random password like 'kT9#mP2$vL7nQ4xR' has no pattern to exploit and is genuinely hard to crack even with massive computing power.
The catch: random passwords are impossible to remember. The fix: a password manager. Generate a strong random password for every site, store it in a password manager (Bitwarden, 1Password, Apple Passwords, etc.), and only memorize the master password. You'll have a unique, uncrackable password on every site and you'll never have to remember any of them.
How to generate a secure password
WheelsHub's Password Generator uses the browser's cryptographically-secure random source (the same one used for encryption keys) to produce truly random passwords. You control the length, the character sets (uppercase, lowercase, numbers, symbols), and whether to exclude look-alike characters (0/O, 1/l/I) for readability.
Open WheelsHub's Password Generator.
Set length to at least 16 characters for important accounts (20+ for banking or email).
Enable all four character sets: uppercase, lowercase, numbers, symbols.
Optionally exclude look-alike characters if you'll be typing the password manually.
Click generate. Copy the password and paste it into your password manager — don't try to memorize it.
The single most important password habit: never reuse a password across sites. If one site gets breached (and they do, constantly), attackers will try that password everywhere else. A password manager makes unique-per-site passwords effortless.
Passphrases: the alternative for passwords you must memorize
For the one password you have to memorize — your password manager's master password — a passphrase is better than a random string. A passphrase is four or five random words joined together: 'correct-horse-battery-staple' style. A 5-word passphrase from a 10,000-word list has about 66 bits of entropy, which is strong, and it's actually memorable — unlike 'kT9#mP2$vL7nQ4xR'. Use a passphrase for your master password and random strings for everything else.
What makes a password weak
- Short — under 12 characters is crackable in hours with modern hardware
- Reused — the same password on multiple sites means one breach compromises all of them
- Pattern-based — 'Word + Number + !' is in every cracking dictionary
- Personal — names of pets, kids, partners, or birthdates are easily found on social media
- Common — 'password', '123456', 'qwerty' are the first things attackers try
- Leaked — even a strong password, if it appears in a known breach database, is compromised
Beyond passwords: 2FA and passkeys
A strong password is necessary but no longer sufficient. Turn on two-factor authentication (2FA) for every account that supports it — especially email, banking, and password manager. Even better, switch to passkeys where available: passkeys replace passwords entirely with a cryptographic key stored on your device, and they're immune to phishing. The future of authentication is passwordless, but until then, strong unique passwords plus 2FA is the gold standard.
Generating a secure password takes 10 seconds with the right tool. Using a password manager takes 30 minutes to set up and saves you hours every month. Both are some of the highest-leverage security investments you can make — far more effective than any antivirus software.