Many people still think password strength is mostly about adding a symbol, capitalizing one letter, or swapping an a for an @. Those tricks can help a little, but they are not the main event. The larger gain usually comes from length.
Why? Because every additional character expands the number of possible combinations an attacker has to search. A short password with forced complexity can still be relatively weak if it follows patterns people commonly choose. A longer credential creates far more room for randomness or uniqueness.
A practical rule of thumb
For high-value accounts like your primary email, banking, tax, or password manager account, longer is better. A long random password saved in a manager is a strong default. For accounts you need to type more often, a long passphrase can be a solid alternative.
What length feels reasonable?
- 10 to 12 characters: better than many legacy passwords, but not where you want to stay if the account matters.
- 14 to 18 characters: a healthier baseline for many mainstream accounts.
- 20+ characters: an excellent target when a password manager is doing the remembering.
- 4 to 6 words: often a strong range for passphrases, depending on word choice and formatting.
If you want to make the easy choice, use the generator, set a longer length, copy the result, and store it in a password manager. That removes the temptation to keep passwords short just so they are easier to remember.