BLOG
How to Generate Strong Passwords and Actually Stay Secure Online
The most common password in 2025, for the fifth year running, was "123456." The second was "password." The third was "123456789." These are not jokes. They come from analyses of billions of leaked credentials, and they mean that millions of people are essentially leaving their front door unlocked.
But even people who try to create "strong" passwords often do it wrong. Adding an exclamation mark to the end of your pet's name does not meaningfully improve security. Understanding why requires knowing how password cracking actually works.
How Attackers Crack Passwords
When a database of passwords gets leaked, the passwords are usually stored as hashes, one-way mathematical transformations that cannot be reversed directly. Attackers do not "decrypt" hashes. Instead, they try billions of possible passwords, hash each one, and check if the hash matches.
Brute force: Try every possible combination. For an 8-character password using lowercase letters only, that is 26^8 = 208 billion combinations. A modern GPU can hash about 10 billion MD5 hashes per second. So cracking an 8-character lowercase password takes about 20 seconds.
Dictionary attacks: Try common words, names, and known passwords first. Attackers use lists of billions of previously leaked passwords. If your password appears in any previous breach, it takes milliseconds to crack regardless of its complexity.
Rule-based attacks: Take dictionary words and apply common modifications: capitalize the first letter, add a digit at the end, replace "a" with "@", add "!" at the end. This is why "P@ssw0rd!" is not secure. Attackers know these patterns.
Credential stuffing: Try your leaked password from one site on other sites. Since 65% of people reuse passwords across multiple accounts, this works disturbingly often.
Password Entropy: The Math Behind Strength
Password strength is measured in bits of entropy. The formula:
Entropy = log2(pool_size ^ length)
Where pool_size is the number of possible characters.
| Character Set | Pool Size | 8-char Entropy | 16-char Entropy |
|---|---|---|---|
| Lowercase only | 26 | 37.6 bits | 75.2 bits |
| Lower + upper | 52 | 45.6 bits | 91.2 bits |
| Alphanumeric | 62 | 47.6 bits | 95.3 bits |
| Full printable ASCII | 95 | 52.6 bits | 105.1 bits |
| 4-word passphrase (7776 words) | 7776^4 | -- | 51.7 bits |
| 6-word passphrase | 7776^6 | -- | 77.5 bits |
The key insight: length matters far more than complexity. A 16-character lowercase password (75.2 bits) is stronger than an 8-character password with every character type (52.6 bits). This is because each additional character multiplies the search space exponentially.
NIST's current guidelines (SP 800-63B, updated 2024) explicitly recommend against forcing special characters and instead emphasize password length. Minimum 8 characters for general use, 15+ for sensitive accounts.
Generating Truly Random Passwords
Humans are terrible at generating randomness. We gravitate toward patterns, keyboard sequences, meaningful dates, and dictionary words even when trying to be "random." A password like "7$kQ!mR2" looks random but might actually come from a pattern the creator is not aware of.
The Password Generator uses cryptographically secure randomness (the Web Crypto API's crypto.getRandomValues()) to generate passwords that are genuinely unpredictable. You can specify length, character types, and whether to exclude ambiguous characters like 0/O and 1/l/I.
Recommended settings:
- For general accounts: 16+ characters, all character types
- For high-security accounts (email, banking): 20+ characters
- For passphrases: 4-6 random words separated by spaces or dashes
- For Wi-Fi passwords you need to type once: 20+ characters, easy to read (exclude ambiguous)
Passphrases: Long and Memorable
A passphrase like "correct horse battery staple" (from the famous XKCD comic) is both easier to remember and harder to crack than "Tr0ub4dor&3". Four random words from a 7,776-word list give you about 51.7 bits of entropy. Six words give you 77.5 bits. That is enough to resist all known attacks for the foreseeable future.
The key word is random. You cannot pick the words yourself. "I love my dog" is four words but has near-zero entropy because it is a common phrase. The words must be selected randomly from a word list. Diceware is the classic method: roll five dice, look up the result in a numbered word list, repeat for each word.
Beyond Passwords: Multi-Factor Authentication
A strong password protects against brute force and dictionary attacks. It does not protect against phishing (where you type your real password into a fake site) or server breaches (where the attacker gets the password database regardless of password strength).
Multi-factor authentication (MFA) adds a second layer. The most common types:
- TOTP (Time-based One-Time Passwords): Apps like Google Authenticator generate a 6-digit code that changes every 30 seconds. The TOTP Generator demonstrates how this works: a shared secret and the current time produce a unique code. Even if an attacker has your password, they cannot log in without this code.
- Hardware security keys (FIDO2/WebAuthn): Physical devices like YubiKey. These are the gold standard because they resist phishing: the key cryptographically verifies the website's identity before authenticating.
- SMS codes: Better than nothing, but vulnerable to SIM swapping attacks. Use TOTP or hardware keys when possible.
Hashing: How Passwords Are Stored
Responsible services never store your actual password. They store a hash: a fixed-length string derived from your password through a one-way function. When you log in, the service hashes your input and compares it to the stored hash.
The Hash Generator shows you how different algorithms transform the same input. Try hashing "hello" with MD5, SHA-256, and SHA-512 to see how each produces a completely different output, and how changing a single character produces a totally different hash.
Good password hashing algorithms (2026):
- Argon2id: The winner of the Password Hashing Competition. Memory-hard, resistant to GPU attacks.
- bcrypt: Battle-tested, still secure when using a sufficient cost factor (12+).
- scrypt: Memory-hard like Argon2, but more complex to configure correctly.
Bad password hashing: MD5, SHA-1, and unsalted SHA-256 are too fast. Speed is a liability for password hashing because it lets attackers try more guesses per second.
Unique Identifiers and Session Tokens
Beyond passwords, many systems use unique identifiers for sessions, API keys, and database records. The UUID Generator creates universally unique identifiers (version 4 UUIDs) using cryptographic randomness. These are used for session tokens, database primary keys, and any context where you need a unique, unpredictable value.
Practical Password Strategy
- Use a password manager. This is the single most impactful security improvement most people can make. A password manager generates unique, random passwords for every account and remembers them for you. You only need to memorize one strong master password.
- Make your master password a passphrase. Six random words, easy to type, hard to crack.
- Enable MFA on critical accounts. Email, banking, cloud storage, and social media. Start with TOTP; upgrade to hardware keys for the most important accounts.
- Check for breaches. Services like Have I Been Pwned let you check if your email or passwords have appeared in known data breaches. If they have, change those passwords immediately.
- Never reuse passwords. If one service gets breached, every account sharing that password is compromised.
Every security tool mentioned here, from the Password Generator to the Hash Generator, TOTP Generator, and UUID Generator, runs entirely in your browser. No data is sent anywhere. Your generated passwords exist only on your screen until you copy them.