What actually makes a password hard to crack, common mistakes to avoid, and how to generate one in seconds.
Most account break-ins today don't come from someone guessing your password character by character - they come from credential stuffing: attackers take email and password pairs leaked in an unrelated data breach and try them on other sites, because so many people reuse passwords. A strong, unique password per account removes you from that attack entirely, regardless of how unguessable it feels to you personally.
Swapping "a" for "@" or adding one digit at the end of a word barely changes how long it takes to crack, because password-cracking tools already account for those substitutions. What actually matters is the total search space: each additional character multiplies the number of possible combinations. A random 16-character password is dramatically harder to brute-force than an 8-character one, even if the shorter one looks more "complex" with symbols.
Keyboard walks ("qwerty123"), a name plus a birth year, or a dictionary word with predictable substitutions are all in the wordlists attackers try first - they cost almost nothing to test even if they look random to a human. If a password is memorable to you because it follows a personal pattern, it is likely predictable to an attacker too.
A tool-generated random string packs the most entropy per character, which is ideal when you're using a password manager and never need to type or remember it. A passphrase of several unrelated words is a reasonable alternative for the handful of passwords you do need to type from memory, such as a device unlock code - length still matters more than the number of words looks.
12 characters is a reasonable minimum today; 16 or more is a safer target for anything sensitive, like your email or banking login, since that account is often the recovery path into everything else.
The most common reason people reuse passwords is that remembering a different strong password for every account isn't realistic. A password manager solves this - you only need to remember one master password, and it fills in a unique, generated password everywhere else.