What makes a password strong?
A password's strength comes down to one thing: how long it takes an attacker to guess it. This is determined by the size of the search space — the number of possible passwords of a given length and character set. The larger the search space, the longer the brute-force attack takes.
Length is the single most important factor. A 20-character password using only lowercase letters has more possible combinations (2620 ≈ 19 quadrillion) than a 12-character password using all 94 printable ASCII characters (9412 ≈ 475 trillion). More characters, even from a smaller set, beats a complex but short password every time.
Password entropy explained
Entropy measures randomness in bits. A password with N bits of entropy requires, on average, 2N-1 guesses to crack by brute force. Each additional character multiplies the search space by the size of the character set.
Character sets and their log2 values (bits per character):
Digits only (10 chars): log2(10) ≈ 3.32 bits/char
Lowercase letters (26): log2(26) ≈ 4.70 bits/char
Mixed case (52): log2(52) ≈ 5.70 bits/char
Mixed case + digits (62): log2(62) ≈ 5.95 bits/char
All printable ASCII (94): log2(94) ≈ 6.55 bits/char
Examples:
8-char, digits only: 8 × 3.32 = 26.5 bits — weak
12-char, all ASCII: 12 × 6.55 = 78.6 bits — moderate
20-char, all ASCII: 20 × 6.55 = 131 bits — strong
32-char, all ASCII: 32 × 6.55 = 209 bits — very strongFor most accounts, 80+ bits of entropy is considered strong. For high-value targets (server credentials, password manager master password), aim for 128+ bits. This tool shows entropy estimates to help you calibrate.
Length beats complexity
Older password policies required a mix of uppercase, lowercase, digits, and symbols in passwords as short as 8 characters. This leads to predictable patterns: Password1! technically satisfies the rule but has extremely low entropy because humans follow predictable substitution patterns (capital at the start, number near the end, symbol at the very end).
NIST's 2024 Digital Identity Guidelines (SP 800-63B) now explicitly state that composition rules are counterproductive — they increase cognitive load without meaningfully improving security. The updated guidance: minimum 15 characters, no mandatory complexity rules, check against known breached password lists, no forced periodic rotation.
Passphrases vs random passwords
A passphrase is a sequence of random dictionary words: correct-horse-battery-staple. A random password is a sequence of random characters: xK8#mP2$qL7@nR5!.
- Passphrases — easier to remember, easier to type on mobile, less prone to transcription errors. A 4-word passphrase from a 7,776-word list (like EFF's wordlist) has ~51 bits of entropy; a 6-word passphrase has ~77 bits. Good for the rare password you need to type from memory (master password, disk encryption key).
- Random passwords — higher entropy per character, not tied to dictionary words. Best for machine-managed credentials that you copy/paste from a password manager and never need to memorize.
Generated passwords only work with a password manager
A 32-character random password like Kq7#mX2$pL9@nR4&wT1!vJ8^ is genuinely strong, but useless if you write it on a sticky note or reuse it. The only practical way to use strong, unique passwords for every account is with a password manager (Bitwarden, 1Password, KeePass). Generate a long random password here, copy it into your manager, and never look at it again.
How this tool generates randomness
This tool uses the browser's Web Crypto API (crypto.getRandomValues()) to generate passwords. This API is backed by the operating system's cryptographically secure pseudorandom number generator (CSPRNG) — the same source of randomness used by cryptographic operations at the OS level. It is not predictable, not seeded from the clock, and not vulnerable to the weaknesses of Math.random(), which is explicitly not cryptographically secure.
All generation happens in your browser. No passwords are transmitted to any server, logged, or stored. The page can generate passwords entirely offline once loaded.