How to create a strong, secure password

What actually makes a password strong

Three factors matter most: length, character variety, and true randomness. A password shorter than 12 characters can be cracked by brute force in minutes on modern hardware. Mixing uppercase, lowercase, digits, and symbols multiplies the search space dramatically. Most importantly, the password must be random — not a word, a name, a date, or any pattern a human would naturally choose. Carbide's Password Generator creates cryptographically random passwords up to 64 characters long, entirely on your device. It never sends your output anywhere, so nothing you generate ever leaves your phone.

Common mistakes that leave you exposed

Reusing a password across sites is the most dangerous habit: one breach exposes every account that shares it. Predictable substitutions — swapping 'a' for '@' or 'o' for '0' — are well known to attackers and add almost no real security. Passwords based on personal information (birthdays, pet names, favourite teams) are trivially guessable. Using sequential keyboard walks like 'qwerty' or '123456' is equally risky. If you want to verify that your password is genuinely complex, paste it into Carbide's Hash Generator to produce a SHA-256 fingerprint — a useful way to compare or log hashes without storing the raw password.

Password managers vs memorising

Nobody can memorise a unique, 20-character random password for every account they own. A reputable password manager generates and stores them for you behind one strong master password. If you prefer to stay fully offline, Carbide's Secure Notes vault stores sensitive text on your device encrypted with AES-256, protected by a PIN or biometrics, and excluded from cloud backups. This gives you a private, offline notes vault that works without any account or subscription — completely free. The key principle is the same either way: one strong, unique password per service.

Passphrases as a practical alternative

A passphrase is a sequence of four or more unrelated common words — for example 'correct horse battery staple'. Length alone gives passphrases strong entropy: 40+ characters of real words is far harder to brute-force than an 8-character symbol soup, and far easier to type. The words must be chosen at random, not phrases you already use or lyrics you know. Passphrases work best for the few passwords you genuinely need to type regularly, such as your device unlock PIN, your password manager master password, or your email account. For everything else, let Carbide's Password Generator do the work.

Frequently asked questions

How long should a password be?

At minimum 12 characters, but 16 or more is strongly recommended for any account that matters. Length is the single biggest factor in how long a brute-force attack takes. Carbide's Password Generator lets you set any length up to 64 characters with one tap.

Is it safe to use a password generator app?

Yes, provided the generator runs entirely on your device and does not send results to a server. Carbide's Password Generator is fully offline — it uses your device's own cryptographic random source and never connects to the internet, so your passwords stay completely private.

What is the difference between a password and a passphrase?

A password is typically a shorter string mixing characters and symbols. A passphrase is a sequence of four or more random words. Both can be strong; passphrases tend to be easier to remember while still providing high entropy due to their length.

Should I store passwords in my phone's notes app?

Plain text notes are not safe for passwords because they are unencrypted and often backed up to the cloud automatically. Instead, use Carbide's Secure Notes, which encrypts your text on-device with AES-256 and never syncs it anywhere — keeping your sensitive information private and offline.