What Makes a Password Strong?
Password strength is measured in entropy — the unpredictability of a password. A strong password is long, random, and uses a large character set. Modern brute-force attacks can try billions of passwords per second against hashed databases, so weak patterns fail quickly.
Password Security Best Practices
- Never reuse passwords — one breach exposes all accounts using the same password
- Use a password manager: 1Password, Bitwarden, Dashlane, or KeePass store unique passwords per site
- Enable 2FA/MFA: a compromised password is insufficient if 2FA is required
- Length over complexity: a 20-char password of letters is stronger than an 8-char with symbols
- This generator runs locally — passwords are generated in your browser and never sent to any server
Password Entropy by Length
- 8 characters: ~41 bits — crackable in seconds with GPU attacks on common hashes
- 12 characters: ~62 bits — stronger, but dictionary variants are still tested
- 16 characters: ~82 bits — very strong; months to crack via brute force
- 20+ characters: ~103+ bits — effectively uncrackable with current hardware
Is a random password or passphrase more secure?
Both can be highly secure — it depends on length and randomness. A random 20-character password has ~130 bits of entropy. A random 5-word passphrase has ~64 bits. However, passphrases are far easier to remember and type. For a master password manager password, a random 6-7 word passphrase is both memorable and very secure.
Should I use special characters in passwords?
Yes, when allowed. Adding symbols increases the character set from 62 (letters + numbers) to 94, multiplying possible combinations. However, some websites have character restrictions. Length matters more than character variety — a 20-char password of just letters is stronger than an 8-char password with symbols.