You've probably been told to "make a strong password" hundreds of times. But what does strong actually mean? Is P@ssw0rd! strong? Is your dog's name plus your birth year secure? The answer might surprise you.
The Core Concept: Entropy
Password strength is measured by entropy โ a mathematical measure of how unpredictable the password is. The more possible combinations an attacker has to try, the more secure your password is.
Entropy is calculated as: bits = logโ(pool_size ^ length)
Where pool_size is the number of possible characters and length is the password length.
| Password | Pool Size | Length | Combinations | Strength |
|---|---|---|---|---|
dog | 26 | 3 | ~17,576 | โ Terrible |
P@ssw0rd | 72 | 8 | ~722 billion | โ ๏ธ Weak |
correct-horse-battery | 26+ | 21 | Astronomical | โ Strong |
x7Kp#2mQ!9vR$4nL | 94 | 16 | 10ยณยน | โ Very Strong |
Why "Clever" Passwords Fail
Modern password crackers don't just try random combinations โ they use sophisticated techniques:
- Dictionary attacks: They know that
passwordโP@ssw0rd!is a common substitution - Pattern recognition: Name + year combinations (e.g.
john1995) are enumerated trivially - Credential stuffing: If any site you've used was breached, those passwords are in attack databases
- Hybrid attacks: Combining dictionary words with numbers and symbols in every known pattern
The password P@ssw0rd! would be cracked in seconds by any serious attacker โ it's in every dictionary list ever built.
Length vs. Complexity
Here's a counterintuitive fact: length beats complexity. A 20-character lowercase password is stronger than an 8-character password mixing all character types.
Consider: adding one character to a password multiplies its combinations by the pool size. Extending a 12-character password to 16 characters is exponentially more effective than adding symbols to an 8-character one.
The ideal password: Long AND random AND uses mixed character types.
Recommendations by Account Type
- Social media, streaming: 12+ characters, mixed case + numbers
- Work accounts, banking: 16+ characters, include symbols
- Email account (your master key): 20+ characters, maximum complexity
- Password manager master password: 25+ characters โ memorize this one
Generate Strong Passwords Instantly
You don't need to invent passwords yourself โ that's how human patterns sneak in. Use a cryptographically random generator:
Our generator uses window.crypto.getRandomValues() โ the same API used in banking applications โ and runs entirely in your browser. No password is ever transmitted anywhere.
Store Passwords Safely
A strong password you can't remember is useless. Use a password manager:
- Bitwarden โ free, open-source, excellent
- 1Password โ paid, polished, team features
- KeePassXC โ fully offline, no cloud
With a password manager, you only need to memorize one strong master password. Every other account gets a unique, randomly generated password.
The Golden Rules
- ๐ Never reuse passwords across accounts
- ๐ Use at least 16 characters for important accounts
- ๐ฒ Use random generation, not human patterns
- ๐ Enable two-factor authentication (2FA) wherever possible
- ๐ฑ Store passwords in a password manager
- ๐ซ Never share passwords, even with support staff