Generate Strong Password — What Makes a Password Uncrackable

A strong password is one that can’t be guessed, cracked by brute force, or found in a wordlist. The only way to guarantee strength is to generate it randomly from a cryptographically secure source — not to create it yourself.

Use the Password Generator to generate cryptographically random strong passwords.

What “strong” means quantitatively

Password strength is measured in bits of entropy:

Entropy = log₂(character_set_size ^ length)

At 100 billion guesses/second (aggressive GPU cracking):

Minimum for 2026: 72+ bits. Recommended: 80–100+ bits.

How to achieve 80+ bits of entropy

Character set and length combinations:

Recommendations:

• Minimum: 16 characters, mixed case + digits + symbols (95 bits)
• Standard: 20 characters, full ASCII (131 bits)
• High-security accounts (email, banking): 24+ characters

Why humans create weak passwords

Human-generated passwords follow predictable patterns that password crackers exploit:

1. Dictionary words: Every dictionary word is in every wordlist
2. Leet speak: P@ssw0rd is immediately recognizable (@=a, 0=o)
3. Capitalized first letter: Password1! — the most common pattern
4. Number/symbol append: Appending 123! or 2024 to any word
5. Keyboard patterns: qwerty, 1234, !@#$
6. Personal information: Birthdays, pet names, anniversaries (found via social media)
7. Transformed common passwords: Variations on known breached passwords

A cracking ruleset like Hashcat’s best64.rule generates hundreds of thousands of variations per dictionary word. Any password derived from a word is cracked quickly.

The only solution: Don’t create passwords. Generate them.

How to generate strong passwords

Using the Password Generator

The Password Generator uses crypto.getRandomValues() — the browser’s cryptographically secure random number generator:

1. Set length to 20 (minimum 16)
2. Enable all character classes: lowercase, uppercase, digits, symbols
3. Click Generate
4. Copy and store in your password manager

Why it’s secure: crypto.getRandomValues() pulls entropy from the operating system (hardware events, timing, network activity). The output is not predictable, not reproducible, and contains no patterns.

Why other methods fail:

• Math.random(): Seeded with predictable timestamp, output is predictable
• Human-generated passwords: See above
• Simple online generators without CSPRNGs: May use weak randomness

In your code (if you need to generate passwords programmatically)

// Browser:
function generatePassword(length = 20, charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*') {
  const array = new Uint32Array(length);
  crypto.getRandomValues(array);
  return Array.from(array, n => charset[n % charset.length]).join('');
}

// Node.js:
const crypto = require('crypto');
function generatePassword(length = 20) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
  return Array.from(crypto.randomBytes(length), byte => 
    charset[byte % charset.length]
  ).join('');
}

Note: byte % charset.length introduces slight modulo bias for character sets not sized as powers of 2. For production systems, use rejection sampling to eliminate bias.

Password managers: the other half of the solution

A strong password doesn’t help if you reuse it across sites. If any site is breached and attackers get your password (even a strong one), they’ll try it on every other site you use.

Password managers solve both problems:

1. Generate a unique strong password for every account
2. Store them encrypted behind one master password
3. Auto-fill on websites (also protects against phishing — it checks the domain before filling)

Recommended password managers:

• Bitwarden: Open source, free tier, excellent security record
• 1Password: Premium features, excellent UX, business options
• KeePass: Local storage only, most private, no subscription
• Dashlane: User-friendly, good dark web monitoring

The master password should be a passphrase — 4–6 random words (see passphrase generator). You need to remember this one; everything else can be random.

Checking if your password was breached

HaveIBeenPwned Passwords has 800+ million passwords from real breaches. It checks with k-anonymity (you send the first 5 characters of the hash, not the full password) so it’s safe to use.

If a “strong” password appears in breach databases, it’s because:

• You created it (not randomly generated)
• It appeared in a breach of a site you used it on (always use unique passwords)

Related tools

• Password Generator — generate cryptographically random passwords
• Password Strength Checker — how strength is measured
• Passphrase Generator — memorable alternative to random passwords