What Makes a Password Strong?
Password strength comes down to one concept: entropy — a measure of how unpredictable the password is. The higher the entropy, the longer a brute-force attacker must spend trying every possible combination.
Entropy = log₂(pool) × length
The pool is the number of distinct characters you allow. Lowercase only: 26. Add uppercase: 52. Add numbers: 62. Add common symbols: ~87 characters. Each character you add multiplies the difficulty. Each extra character in length also multiplies — a 17-character password is 87× harder to brute-force than a 16-character one (for the same character set), not just a little harder.
Why length beats complexity
A 20-character lowercase-only password (pool 26) has ~94 bits of entropy. A 10-character all-sets password (pool 87) has ~66 bits. The longer, simpler password is exponentially harder to crack. This is why passphrases — strings of random words — can be both memorable and extremely secure.
What attackers actually do
Modern GPU rigs can attempt 10–100 billion guesses per second against stolen password hashes (offline attack). This generator's crack-time estimates use the conservative 10 billion/second figure. Against an online service with rate limiting, you need far less entropy — but since passwords often leak in database breaches, offline cracking speed is the correct threat model.
The three rules that actually matter
1. Use a different password for every account. When a site gets breached (and they all do eventually), a unique password limits the damage to that one site. 2. Use long, random passwords. 16+ characters, all character sets. Use this generator. 3. Store them in a password manager. You can't remember 80 unique strong passwords — no one can. A password manager does it for you.
Password Manager Comparison
A password manager is the single best thing you can do for your account security. Here's how the top options compare:
| Manager | Free tier | Open source | Zero-knowledge | Mobile | Passkey support |
|---|---|---|---|---|---|
| Bitwarden | ✓ Full | ✓ | ✓ | ✓ | ✓ |
| 1Password | ✗ Trial | ✗ | ✓ | ✓ | ✓ |
| NordPass | ✓ Limited | ✗ | ✓ | ✓ | ✓ |
| KeePassXC | ✓ Full | ✓ | ✓ (local) | Manual sync | ✗ |
All options above use end-to-end encryption — the provider cannot read your passwords. Bitwarden is recommended for most users (free, open source, audited). 1Password is preferred by IT teams for sharing and audit features.
Frequently Asked Questions
crypto.getRandomValues) and never contacts any server. You can disconnect from the internet and it will still work perfectly. The generated password exists only in your browser tab — it is never transmitted anywhere.correct-horse-battery-staple. Its entropy comes from the word list size and the number of words. A 5-word passphrase from a 300-word list gives ~40 bits; from a 7776-word Diceware list it gives ~64.6 bits. Passphrases have the advantage of being typeable and memorable — ideal for master passwords you must enter from memory.log₂(pool_size) × length. Pool size is the count of distinct characters available given your selected character sets (26 + 26 + 10 + ~25 symbols = ~87 max). Crack-time estimates assume an offline attacker running at 10 billion guesses/second — the realistic threat model for leaked hash databases. Labels: Weak <40 bits, Fair 40–59, Strong 60–79, Very Strong 80+.