What Actually Makes a Password Strong
Password strength comes down to one concept: **entropy** — the number of possible combinations an attacker would need to try to guess your password. High entropy means a long time to crack even with dedicated hardware.
The formula: if your password uses an alphabet of N characters and has a length of L, the total combinations are N^L. Doubling password length squares the search space. Adding character classes (uppercase, symbols) multiplies it.
Why "P@ssw0rd1" Is Weak Despite Meeting "Requirements"
Legacy password policies (minimum 8 characters, uppercase, number, symbol) created predictable patterns. Humans capitalise the first letter, add a number and ! at the end, and substitute obvious characters. Attackers built rule-based crackers that try these patterns first.
A password like P@ssw0rd1 is cracked in seconds by modern tools that start with dictionary words and apply mutation rules.
The Real Threat Models
**Online attacks** — an attacker tries passwords via a login form. Sites with rate limiting and lockouts make this slow. Even a 6-character random password survives most online attacks.
- 8 lowercase letters: cracked in seconds on a modern GPU
- 12 random lowercase letters: ~1 year on a modern GPU
- 16 random printable ASCII: effectively uncrackable with current hardware
- 20+ random characters from a full charset: cracking is mathematically infeasible
The Two Approaches That Actually Work
**Option 1: Long random passwords** (managed by a password manager) Generate 20+ random characters from letters, numbers, and symbols. You don't need to memorise these — your password manager stores and fills them.
Example: x7K!mR2@qLpN9#sW4vYj
**Option 2: Diceware passphrases** (for passwords you need to type or memorise) Pick 5-6 random words from a word list. The randomness comes from truly random word selection, not word choice.
Example: correct-horse-battery-staple-lunar
A 5-word diceware passphrase has roughly 64 bits of entropy — equivalent to a 12-character random password, but far easier to remember and type.
How to Generate Strong Passwords Locally
- Length (we recommend 20+ characters for passwords in a manager)
- Character sets to include (uppercase, lowercase, numbers, symbols)
- Exclude ambiguous characters (0/O, 1/l) for passwords you might need to type
The generator runs entirely in your browser. Nothing is transmitted. The password exists only in your memory or your password manager.
Checking Your Password's Entropy
- **50+ bits** — adequate for low-value accounts
- **70+ bits** — recommended for email, banking, and social accounts
- **90+ bits** — appropriate for master passwords and encryption keys
What About Password Managers?
A password manager (Bitwarden, 1Password, KeePass) removes the need to remember passwords entirely. You only need one strong master passphrase — your vault then holds unique random passwords for every site. The tradeoff: a compromised master password or vault leak exposes everything. Bitwarden is open-source and allows self-hosting; KeePass stores your vault locally.
If you choose not to use a password manager, a Diceware passphrase is your best option for any password you need to remember.