How to Create a Strong Password (and Never Forget It)
A practical guide to password strength, entropy, and why a random password generator is safer than anything you can invent yourself.
Humans are bad at creating random passwords. We think in patterns — names, sports teams, years, keyboard walks like qwerty123. Attackers know this too. Their wordlists include millions of these patterns, and modern cracking tools try them all before attempting anything truly random. The only reliable solution is to stop inventing passwords and let a machine do it instead.
What makes a password strong?
Strength comes down to two things: length and character set size. Together they determine entropy — the number of bits of randomness in the password.
The formula: entropy = log₂(charsetSize) × length
| Character set | Size | Bits per character |
|---|---|---|
| Lowercase only (a–z) | 26 | 4.7 bits |
| Lower + upper | 52 | 5.7 bits |
| Lower + upper + numbers | 62 | 6.0 bits |
| Lower + upper + numbers + symbols | ~90 | 6.5 bits |
A 16-character password using all four sets gives roughly 104 bits of entropy. At a trillion guesses per second — faster than any hardware available today — brute-forcing it would take longer than the age of the universe. That’s not a figure of speech.
Why “clever” passwords still fail
Substituting letters with numbers — p@ssw0rd — felt clever in 2005. Modern cracking tools apply thousands of substitution rules automatically. Your variant is almost certainly in their dictionary already.
Passphrases (four or more random words like correct horse battery staple) are better because they’re long enough to carry real entropy. But they require genuinely random word selection — not your favourite song lyric or a line from a movie you love. If you can remember why you chose the words, they probably aren’t random enough.
The simplest fix: use a generator.
Using a random password generator safely
Our Random Password Generator uses the Web Crypto API (crypto.getRandomValues), the same cryptographic source your browser uses for TLS connections. This matters — Math.random() is seeded and predictable. The Web Crypto API is not. It’s designed specifically for security-sensitive operations, not for shuffling a card deck.
A few things worth knowing:
- 16+ characters is the sweet spot for most accounts. Anything above 12 characters with a full character set is computationally out of reach for brute force.
- Enable all character sets if the target system allows it. Some legacy apps reject certain symbols — if that happens, increase length to compensate rather than dropping character types.
- Store it in a password manager. A generated password is only useful if you can retrieve it later. Bitwarden is free and open source. 1Password and Dashlane are good paid options. A plain text file is not acceptable.
- One password per site. The main reason data breaches cause cascading damage is reuse. If one site gets hacked and your password leaks, it should not work anywhere else.
How the strength meter works
The tool shows entropy in bits alongside a strength rating:
- Weak — below 40 bits (short or limited character sets)
- Fair — 40–60 bits (adequate for low-stakes accounts)
- Strong — 60–80 bits (suitable for most important accounts)
- Very Strong — 80+ bits (cryptographically robust)
Aim for Strong or above for anything that matters. For master passwords and encryption keys, use maximum length with every character set enabled.
Privacy
Everything happens in your browser. The password is generated locally using your device’s entropy source and never transmitted. You could run the page offline and it would behave identically.
Try the Random Password Generator — generate a strong password in one click, copy it, and store it in your password manager.