How to Generate Secure Passwords That Are Actually Strong

Most people use passwords that are easy to guess. “password123”, pet names, birthdays — these can be cracked in seconds by modern brute-force tools. Here’s how to do better.

What Makes a Password Strong?

Password strength is measured in entropy — the number of bits of randomness. Higher entropy means more possible combinations to try. A strong password has:

• Length — at least 16 characters. Each additional character exponentially increases the number of combinations.
• Character variety — mixing uppercase, lowercase, numbers, and symbols multiplies the possibilities per position.
• True randomness — human-chosen “random” passwords are predictable. Use a cryptographic random generator.

How Passwords Get Cracked

Attackers use several methods:

• Dictionary attacks — trying common words, phrases, and known leaked passwords
• Brute force — trying every possible combination (fast for short passwords)
• Rule-based attacks — trying common substitutions like “p@ssw0rd” or “Password1!”
• Credential stuffing — reusing passwords leaked from other breaches

Password Strength Levels

• Weak (<40 bits) — crackable in minutes. Common words, short passwords.
• Fair (40-60 bits) — might survive an untargeted attack but not a focused one.
• Strong (60-80 bits) — good for most accounts. Would take years to brute-force.
• Very Strong (80+ bits) — excellent. Use this level for email, banking, and password managers.

Best Practices

1. Use a password manager — you only need to remember one master password
2. Never reuse passwords — generate a unique one for every account
3. Enable 2FA — even a strong password can be phished, but 2FA adds a second layer
4. Use our generator — it uses the Web Crypto API for cryptographically secure randomness, right in your browser. Nothing is sent to any server.