Most password advice you've heard is wrong. Forcing users to add numbers, symbols, and capital letters — the P@ssw0rd! that satisfies every "strength meter" — creates passwords that are hard for humans to remember and easy for computers to crack. Here's what actually matters.
Password entropy measures randomness — how unpredictable a password is to an attacker. The formula: Entropy = log₂(character_set_size^length)
Each additional character multiplies the possible combinations by the character set size. This is why length dominates complexity:
| Password | Character Set | Combinations | Entropy | Time to Crack |
|---|---|---|---|---|
P@ss1 (6 chars) | 95 | 95⁶ ≈ 735 billion | ~39 bits | Seconds |
P@ssw0rd! (10 chars) | 95 | 95¹⁰ ≈ 6×10¹⁹ | ~65 bits | Hours |
horse-staple-battery-correct | 10,000 (words) | 10,000⁴ = 10¹⁶ | ~53 bits | Days |
| 16 random chars (lower+upper+digits) | 62 | 62¹⁶ ≈ 5×10²⁸ | ~95 bits | Billions of years |
A 16-character password of just lowercase letters (26¹⁶) has 8×10²² combinations — more than a 9-character password using all 95 keyboard symbols (95⁹ ≈ 6×10¹⁷). Length is a multiplier. Complexity is an adder. Multiplication wins.
In 2017, NIST (the US National Institute of Standards and Technology) updated its password guidelines — and explicitly recommended against forced complexity rules. Their reasoning:
Password1! is not strong — it's an attacker's first guess.@ for a, 0 for o), and known patterns. A "complex" 8-character password loses to a long but simple one.NIST now recommends: minimum 8 characters, no forced complexity, and check against known breached password lists.
Instead of Tr0ub4dor&3 (hard to remember, easy to crack — ~28 bits of entropy), use a passphrase: correct horse battery staple. Four random words from a 10,000-word dictionary gives 10¹⁶ combinations — better than most "complex" passwords.
To make it stronger: add a separator (correct-horse-battery-staple), throw in a number (correct-horse-battery-staple-42), or swap a word for a non-dictionary term (correct-horse-battery-x7k9p). The core insight is that your brain remembers words; computers don't care whether the characters form words or not.
The strongest password is one you don't have to remember. A password manager (Bitwarden, 1Password, KeePass, built-in browser managers) generates truly random 20+ character passwords and stores them encrypted. You only need to remember one master password — make it a long passphrase.
Critical principle: every account gets a unique password. When (not if) a service is breached and its password database leaks, attackers try those email/password pairs on every other service. If your Netflix password matches your email password, a Netflix breach compromises your email — and from your email, everything else.
Even the strongest password can be phished, keylogged, or leaked. 2FA adds a second layer: something you have (your phone, a security key) in addition to something you know (your password).
Enable 2FA on: email (your most important account — it's the key to everything), banking, password manager, social media, and any work account.
Our generator uses JavaScript's crypto.getRandomValues() — a cryptographically secure random number generator built into your browser. This is the same quality of randomness used for SSL/TLS encryption. The password is generated locally and never sent to any server.
With all four character sets enabled (lowercase, uppercase, numbers, symbols), each character draws from a pool of ~90 possible values. A 20-character password has 90²⁰ ≈ 1.2×10³⁹ combinations — that's 120 followed by 37 zeros. At a billion guesses per second (a well-resourced attacker), it would take about 4×10²² years to exhaust the search space. The universe is ~1.4×10¹⁰ years old. You'll be fine.