For years, the standard advice on passwords went something like this: use at least eight characters, include uppercase and lowercase letters, throw in a number and a special character, and don't use dictionary words. This advice was well-intentioned and almost entirely counterproductive, because it led millions of people to create passwords like P@ssw0rd1! and feel good about it.
The problem with that password isn't that it's short or that it lacks special characters. It has all the ingredients the rules demand. The problem is that it's predictable. It follows a pattern — capitalize the first letter, substitute @ for a and 0 for o, tack a digit and a symbol on the end — that anyone who has studied password datasets already knows about. Password cracking tools don't try every possible combination of characters at random. They start with dictionaries of common passwords, apply known mutation rules (letter-to-number substitutions, capitalization patterns, appended digits), and burn through millions of variations per second. A password that was constructed by a human following mental shortcuts is a password that was constructed the same way millions of other humans did, and cracking tools are built to exploit exactly that convergence.
What makes a password genuinely strong is entropy, which in this context means the amount of unpredictability in how it was generated. A twelve-character string of truly random letters, numbers, and symbols has high entropy because there's no pattern to exploit, no shortcut to narrow the search space. A twenty-character password made up of four random dictionary words — the "correct horse battery staple" approach popularized by the XKCD comic — also has high entropy, because the words are chosen randomly rather than by a human who would gravitate toward related or meaningful words.
The key in both cases is the word random. Not "random-ish." Not "I picked a word and swapped some letters." Actually random, as in generated by an algorithm drawing from a uniform distribution with sufficient entropy. When you use a password generator, you're getting output from a process that has no preferences, no habits, and no subconscious tendency to pick things that are easy to remember. That's exactly what you want, because anything easy for you to remember is likely easy for an attacker to guess.
This creates an obvious tension: the best passwords are the hardest to remember. The practical solution is to use a password manager — a single encrypted vault protected by one strong master password that stores unique, randomly generated credentials for every account. The master password is the one you actually memorize, and it should be long (a random passphrase of four or five words works well) and used nowhere else. Every other password can be a random string of maximum length that you never even try to learn, because the manager handles it for you.
If you're not using a password manager yet, generating random passwords is still far better than constructing them yourself. Even without a vault, a randomly generated password written on a sticky note in your desk drawer is more secure than a "clever" password you reuse across five accounts, because the threat model for most people is remote attackers using credential-stuffing databases, not someone physically rifling through their office. The sticky note is low-tech, but it solves the right problem.
The bottom line is that your brain is a liability in password creation, for the same reasons it's a liability in any task requiring randomness. You'll pick meaningful numbers, you'll lean on familiar patterns, and you'll converge on the same choices as millions of other people. A password generator that uses cryptographically secure randomness sidesteps all of that. Let it do the work.