Generating Secure Passwords: What Makes One Actually Strong

Password security advice has improved dramatically over the last decade, but a lot of outdated wisdom still circulates. Here's what the current understanding says about what makes a password genuinely hard to crack.

Entropy: The Real Measure of Strength

Password strength is measured in bits of entropy — the number of guesses an attacker would need to make on average. A password with N bits of entropy requires 2^N-1 guesses on average to crack by brute force.

Entropy depends on two things: the size of the character set you're drawing from, and the length of the password. The formula is:

entropy = length × log₂(character_set_size)

For example, a password using lowercase letters only (26 chars) at 12 characters long has about 56 bits of entropy. Add uppercase (52 chars) and it jumps to 61 bits. Add digits and symbols (94 printable ASCII chars): 79 bits. The key insight: length has a bigger impact than character set complexity.

Why Length Beats Complexity

Adding one character to a password multiplies the search space by the character set size. Adding a character set requirement (like "must include a symbol") only adds one forced character's worth of complexity. Going from 12 to 16 characters adds 4× more entropy than switching from letters-only to full ASCII at 12 characters.

This is why NIST's current guidelines (SP 800-63B) dropped mandatory complexity rules and focus on length instead. A password like correct-horse-battery-staple (a passphrase) is longer, more memorable, and cryptographically stronger than P@ssw0rd!.

Randomness Is Everything

A password is only as random as its source. Human-chosen passwords are predictable — people pick common words, add numbers at the end, capitalize the first letter, and use predictable substitutions like 3 for e. These patterns massively reduce the effective entropy.

A genuine random password generator uses a cryptographically secure random number generator (CSPRNG) — the OS's kernel entropy pool, not a seeded pseudo-random function. This means every character is chosen independently with equal probability from the character set. There's no pattern an attacker can exploit.

What Password Length to Use

General guidance for modern systems:

• Website accounts: 16+ characters with a password manager
• Admin accounts / privileged access: 20+ characters
• Encryption keys / master passwords: 25+ characters or a multi-word passphrase
• API keys and secrets: 32+ bytes of random data, often stored as Base64 or hex

Using a Password Manager

The only sane approach to modern password hygiene is a password manager. You use one strong master password and let the manager generate unique, random passwords for every site. Reusing passwords — even strong ones — is one of the most common causes of account compromise, because credential breaches from one site let attackers try those credentials everywhere else.

Use our Password Generator to create cryptographically secure passwords at any length with your choice of character sets. All generation happens in your browser — nothing is sent to a server.