How to Create Strong Passwords (and Measure Them)
Why length beats complexity, how entropy really works, and how to generate and test passwords that resist modern brute-force attacks.
A strong password is one an attacker cannot guess in any practical amount of time. The single best measure of that is entropy — the number of bits of unpredictability.
Length beats complexity
Adding one more character multiplies the number of possible passwords far more than swapping a letter for a symbol. A long, random passphrase usually beats a short, cryptic string of mixed characters.
As a rule of thumb:
- Under 40 bits of entropy → weak, crackable quickly
- 60–80 bits → strong for most accounts
- 80+ bits → effectively uncrackable by brute force today
Use a true random source
Human-chosen passwords cluster around predictable patterns. Generators that draw from crypto.getRandomValues produce uniform, unpredictable output an attacker cannot reproduce.
> Never reuse a password across sites. A single breach then unlocks everything.
Passphrases are easier to remember
Four or five random words ("river-quartz-helmet-lantern") can carry more entropy than a short symbol soup, while staying far easier to type and recall.
Generate, then verify
- Generate a password or passphrase with a crypto-grade generator.
- Check its entropy and estimated crack time.
- Store it in a password manager — never in plain text.
Our tools do steps 1 and 2 entirely in your browser, so the password never leaves your device.