How to generate a strong password (and what entropy means)
Length beats complexity. Here's the math, the actual number of bits you need, and why `correct horse battery staple` is stronger than `P@ssw0rd!`.
# What entropy actually measures
Password entropy is measured in bits. Each bit doubles the number of possibilities an attacker must try.
- 40 bits = ~1 trillion guesses. A single modern GPU cracks this in minutes.
- 60 bits = ~1 quintillion. A determined attacker might spend months.
- 80 bits = ~1.2 × 10²⁴. Out of reach for anyone without state resources.
- 128 bits = practically infinite. Used for encryption keys.
# The math
For a random password from a character set of size N with length L:
entropy = L × log₂(N)
Per-character entropy by character set:
| Set | Size | Bits/char |
|---|---|---|
| Digits | 10 | 3.32 |
| Lowercase letters | 26 | 4.70 |
| Alphanumeric (mixed case) | 62 | 5.95 |
| Full ASCII printable | 94 | 6.55 |
So a 12-character password pulled from mixed-case alphanumeric = 12 × 5.95 ≈ 71 bits. Solid.
A 4-digit PIN = 13.2 bits. Trivial.
# Why "complexity rules" lie
Most password rules are theater:
- "At least one uppercase, one number, one symbol" — the attacker knows this too. It shrinks the search space you bother testing.
- "Change every 90 days" — encourages predictable patterns (
Spring2024!,Summer2024!). - "No dictionary words" — but
correct horse battery staple(xkcd's classic) is ~44 bits, stronger than most "complex" 8-character passwords.
What actually matters is unpredictability + length. Entropy doesn't care what the characters are, only how many equally-likely options exist.
# The xkcd passphrase trick
4 random words from a 2048-word dictionary = 4 × log₂(2048) = 44 bits.
6 random words = 66 bits. Close to unguessable, still easy to type.
<div class="callout callout-tip" role="note"><div class="callout-title">Tip</div><div class="callout-body"><p>The key word is <strong>random</strong>. If you pick the words from your favorite song, a novel, or a movie, you're not getting 44 bits — you're getting maybe 15 because the space of "memorable phrases" is tiny. Use a diceware list or a password manager.</p></div></div>
# Recommended by use
| Use case | Length | Character set | Notes |
|---|---|---|---|
| Website, low-value | 12 | Alphanumeric | ~71 bits |
| Website, high-value | 16 | Full ASCII | ~105 bits |
| Email / password manager master | 20+ | Full ASCII or 6-word passphrase | Critical; never reuse |
| Encryption key | 32+ | Full ASCII | 200+ bits |
# How our password generator works
Our password generator uses crypto.getRandomValues() — the browser's cryptographically secure random source. Every bit is generated locally; nothing is sent over the network.
You can customize length (8–128), character set (digits, lowercase, uppercase, symbols), and exclude ambiguous characters (1/l, 0/O) for typed-from-paper use cases.
# Check an existing password
Paste into our Password Strength Checker to see:
- Estimated entropy in bits
- Time to crack at various attacker budgets
- Specific weaknesses (dictionary words, keyboard patterns, common substitutions)
All computed locally. We literally cannot see your password.
# The only real advice
1. Use a password manager. Generate 20+ character random passwords for everything.
2. Make the master password a 6-word passphrase. Memorize that one.
3. Enable 2FA everywhere it's offered.
Everything else is detail.
# Related tools
- Password Generator
- Password Strength Checker
- Hash Generator — for understanding how passwords are stored
Frequently asked questions
›Is `P@ssw0rd!` a strong password?
No. Substitutions like @ for a and 0 for o are part of every cracking dictionary. `P@ssw0rd!` falls in seconds.
›How many bits of entropy do I actually need?
~60 bits for personal accounts (resists targeted online attacks). ~80 bits for high-value accounts. 128+ bits for encryption keys. Password managers generate 80+ by default.
›Are passphrases as good as random passwords?
Yes — if they're genuinely random words from a big enough list. 6 random Diceware words ≈ 77 bits. Human-chosen phrases from song lyrics or movies are close to zero.