In 2023, a security researcher bought a hard drive from eBay, ran a basic password recovery tool, and found the previous owner's banking login, email password, and Netflix credentials — all saved in plain text. The passwords? "fluffy123", "Password1!", and "david1985". Three passwords that a brute-force attack could crack in under a second.
I wish this were unusual. It's not. According to NordPass's annual report, "123456" has been the world's most common password for five consecutive years. "password" is second. "qwerty" is third. Millions of people are protecting their entire digital lives with passwords that offer essentially zero security.
Our free password generator creates truly random, strong passwords in one click. 12 characters, 16 characters, 20 characters — with uppercase, lowercase, numbers, and symbols mixed in patterns that would take a modern computer billions of years to crack. But understanding WHY your current passwords are probably terrible, and what actually makes a password strong, is just as important as the tool itself.
How Passwords Get Hacked
Before we talk about strong passwords, you need to understand how weak ones get broken. Hackers don't sit there guessing — they use automated tools and techniques:
1. Brute Force Attacks
The computer tries every possible combination. For a 4-digit PIN, that's 10,000 combinations — crackable in milliseconds. For an 8-character lowercase password, it's about 209 billion combinations. Sounds like a lot, but modern GPUs can test billions of combinations per second.
| Password Type | Possible Combinations | Time to Crack |
|---|---|---|
| 4-digit PIN | 10,000 | Instant |
| 6 lowercase letters | 309 million | Instant |
| 8 lowercase letters | 209 billion | Seconds |
| 8 mixed case + numbers | 218 trillion | Minutes to hours |
| 12 mixed case + numbers + symbols | 475 sextillion | Thousands of years |
| 16 mixed case + numbers + symbols | 10^30 | Billions of years |
The jump from 8 characters to 12 characters isn't a 50% improvement — it's an exponential one. Every additional character multiplies the difficulty by 70-95x depending on the character set.
2. Dictionary Attacks
Instead of trying every combination, the attacker tries common words, names, and known passwords. This is why "sunshine", "football", "charlie", and "princess" are terrible passwords — they're in every hacker's dictionary file. These files contain millions of entries including:
- Every English dictionary word
- Common names (first names, surnames, pet names)
- Previously leaked passwords from data breaches
- Common substitutions (p@ssw0rd, h3llo, l0v3)
- Keyboard patterns (qwerty, asdfgh, zxcvbn)
- Date patterns (01011990, 19851225)
3. Credential Stuffing
When a website gets hacked and passwords are leaked, attackers try those same email/password combinations on other sites. If you use the same password for your email, Amazon, and banking — one breach compromises everything.
Major UK breaches in recent years include TalkTalk (157,000 customers), British Airways (380,000 card details), and Marriott (339 million guest records). If you had an account with any of these, your password is in a hacker's database.
4. Social Engineering
Attackers research you on social media and guess passwords based on personal information. Your dog's name, your birthday, your children's names, your favourite football team, your wedding anniversary — all commonly used in passwords, all easily found on Facebook and Instagram.
5. Phishing
Fake emails and websites that look legitimate trick you into entering your password. No amount of password strength helps if you type it into a fake site. Always check the URL carefully and never click password reset links in unexpected emails.
What Makes a Password Strong
A strong password has four qualities:
1. Length
This is the single most important factor. A 16-character password is exponentially stronger than an 8-character one, even if the 8-character one uses more complex characters. The UK's National Cyber Security Centre (NCSC) recommends a minimum of 12 characters. Our password generator defaults to 16 characters for maximum security.
2. Randomness
True randomness — not human-chosen "random." When humans try to be random, we're predictable. We capitalise the first letter, put numbers at the end, and substitute @ for a and 0 for o. Hackers know this. A computer-generated random password like "kQ7#mP2$xL9&nR4" is genuinely unpredictable.
3. Character Variety
Using all four character types maximises the possible combinations:
- Lowercase letters (a-z) — 26 characters
- Uppercase letters (A-Z) — 26 characters
- Numbers (0-9) — 10 characters
- Symbols (!@#$%^&*) — 30+ characters
Combined, that's 90+ possible characters per position. An 8-character password using all types has 90^8 = 4.3 quadrillion combinations.
4. Uniqueness
Every account should have a different password. Yes, every single one. If your email password is compromised and you use the same password for your bank, the attacker walks straight in. This is where password managers become essential (more on that below).
The UK's Most Common Passwords
According to the NCSC's analysis of breached passwords, the most common passwords used by UK residents include:
| Rank | Password | Time to Crack |
|---|---|---|
| 1 | 123456 | Instant |
| 2 | password | Instant |
| 3 | qwerty | Instant |
| 4 | liverpool | Instant |
| 5 | 123456789 | Instant |
| 6 | arsenal | Instant |
| 7 | 12345678 | Instant |
| 8 | charlie | Instant |
| 9 | chelsea | Instant |
| 10 | dragon | Instant |
Football teams, pet names, and simple number sequences dominate. If your password is on this list — or anything similar — change it immediately using our password generator.
Password Length: How Long Is Long Enough?
Different security experts recommend different minimums:
| Source | Minimum Recommendation |
|---|---|
| UK NCSC | 12 characters (or three random words) |
| NIST (US) | 8 characters minimum, 15+ preferred |
| Microsoft | 12 characters |
| 12 characters | |
| Security researchers | 16+ characters for sensitive accounts |
Our recommendation: 16 characters minimum for important accounts (email, banking, social media). 12 characters minimum for everything else. Our password generator lets you choose any length from 8 to 128 characters.
The Three Random Words Method
The UK's NCSC recommends an alternative to complex random passwords: three random words joined together. For example: "coffeetrampolineoctopus" or "purplebicyclewindow".
Why this works:
- Length — three words typically give you 15-25 characters
- Memorability — much easier to remember than "kQ7#mP2$xL9&"
- Strength — if the words are truly random (not related to you), the combination is very hard to guess
- Resistance to dictionary attacks — attackers would need to try every three-word combination from the entire dictionary
The key word is random. "iloveyou", "letmein", and "mypassword" are technically three words but they're in every hacker's dictionary. The words must be unrelated and not personally meaningful.
You can add numbers and symbols between words for extra strength: "coffee7trampoline!octopus" is even stronger while remaining memorable.
Password Managers: The Real Solution
The honest truth: you cannot remember unique, strong passwords for every account. The average person has 70-100 online accounts. A password manager solves this by:
- Generating unique random passwords for every account
- Storing them in an encrypted vault
- Auto-filling them when you log in
- Syncing across all your devices
- Alerting you if a password has been compromised in a breach
You only need to remember one master password — for the password manager itself. Make it strong (use the three random words method) and enable two-factor authentication.
Popular Password Managers
| Manager | Free Tier | Paid Price | Best For |
|---|---|---|---|
| Bitwarden | Yes (generous) | $10/year | Best free option |
| 1Password | No | $36/year | Families and teams |
| LastPass | Limited | $36/year | Browser integration |
| Dashlane | Limited | $60/year | VPN included |
| Apple Keychain | Yes (built-in) | Free | Apple ecosystem users |
| Google Password Manager | Yes (built-in) | Free | Chrome/Android users |
Even a free password manager is infinitely better than reusing passwords or writing them on sticky notes.
Two-Factor Authentication (2FA)
A strong password is your first line of defence. Two-factor authentication is your second. Even if someone steals your password, they can't log in without the second factor — usually a code from your phone.
Types of 2FA:
- SMS codes — a text message with a 6-digit code. Better than nothing but vulnerable to SIM swapping
- Authenticator apps — Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes. Much more secure than SMS
- Hardware keys — physical USB devices like YubiKey. The most secure option
- Biometrics — fingerprint or face recognition on your device
Enable 2FA on every account that supports it, especially email, banking, and social media. Your email is the master key — if someone accesses your email, they can reset passwords for everything else.
What to Do If Your Password Is Compromised
- Change the password immediately — use our password generator to create a new one
- Change it everywhere you used it — if you reused the password (we've all done it), change every account
- Enable 2FA — add two-factor authentication to the compromised account
- Check for unauthorised activity — review recent logins, transactions, and sent emails
- Check Have I Been Pwned — visit haveibeenpwned.com to see if your email appears in known breaches
- Consider a password manager — prevent this from happening again
UK Cyber Security Statistics
The scale of the problem in the UK is staggering:
- 39% of UK businesses identified a cyber attack in 2023 (Cyber Security Breaches Survey)
- 83% of attacks were phishing attempts
- Average cost of a cyber breach for a UK small business: £4,960
- Average cost for a large business: £19,400
- 31% of businesses and 26% of charities report being breached at least once a week
- Only 37% of UK businesses have a formal cyber security policy
For individuals, the risks are equally real. Identity theft, financial fraud, and account takeovers all start with compromised passwords.
Password Requirements by Website
Different sites have different requirements, which is why our password generator lets you customise:
| Site/Service | Minimum Length | Requirements |
|---|---|---|
| 8 | Mix of letters, numbers, symbols | |
| Apple ID | 8 | Upper, lower, number required |
| Microsoft | 8 | Upper, lower, number, or symbol |
| 6 | Mix of characters recommended | |
| Amazon | 6 | At least 6 characters |
| UK Banking (typical) | 8-12 | Varies by bank, often restrictive |
| NHS Login | 8 | Upper, lower, number required |
| HMRC | 8 | Upper, lower, number required |
Passwords You Should Never Use
- Your name, partner's name, children's names, or pet's name
- Your birthday, anniversary, or any personal date
- Your address, postcode, or phone number
- Any single dictionary word, even with number substitutions
- Keyboard patterns (qwerty, 123456, asdfgh)
- The word "password" in any form
- Your username or email address
- Any password you've used before
- Any password from a TV show, film, or book ("dracarys", "hodor")
- Your football team
Other Useful Security and Tech Tools
- QR Code Generator — create QR codes for WiFi passwords (share securely without typing)
- Random Name Picker — uses similar randomisation technology
- Word Counter — check password length and character counts
Try Our Free Password Generator
Stop using "password123". Stop reusing the same password everywhere. Our free password generator creates truly random, strong passwords in one click. Choose your length (8 to 128 characters), select which character types to include, and copy your new uncrackable password instantly. No sign-up, no data stored, completely free.
Frequently Asked Questions
What is a strong password?
A strong password is at least 12 characters long, uses a mix of uppercase, lowercase, numbers, and symbols, is randomly generated (not based on personal information), and is unique to each account.
How long should my password be?
At least 12 characters, ideally 16+ for important accounts like email and banking. Every additional character exponentially increases security. Our password generator lets you choose any length.
Is a password generator safe to use?
Yes — our generator runs entirely in your browser. No passwords are sent to any server, stored, or logged. The generation happens on your device using cryptographically secure randomisation.
Should I use a password manager?
Absolutely. It's the only practical way to use unique, strong passwords for every account. Even free options like Bitwarden or built-in browser managers are far better than reusing passwords.
What is two-factor authentication and should I use it?
Two-factor authentication (2FA) requires a second verification step beyond your password — usually a code from your phone. Enable it on every account that offers it, especially email, banking, and social media. It's the single most effective security measure after strong passwords.
How often should I change my passwords?
The NCSC no longer recommends regular password changes — frequent changes lead to weaker passwords. Instead, use strong unique passwords and only change them if you suspect a breach. Check haveibeenpwned.com regularly to see if your accounts appear in known data breaches.
Comments
No comments yet. Be the first to comment!
Leave a Comment