The password "P@ssw0rd123!" checks every box on the traditional complexity checklist: uppercase, lowercase, number, special character, 12 characters long. It also appears in every major breach dictionary and would be cracked in under a second by any modern password-cracking tool. The problem is not the rules. The problem is that humans follow the rules in predictable ways, and attackers know exactly what those patterns look like.
Password security has shifted fundamentally over the past decade. The National Institute of Standards and Technology (NIST) Special Publication 800-63B, updated in 2024, now explicitly recommends against forced complexity requirements (mandatory special characters, mixed case) and instead emphasizes length and randomness as the primary defenses. This is a 180-degree turn from the advice most websites still enforce.
This guide covers what makes a password actually resistant to cracking, explains entropy in practical terms, compares character-based passwords to passphrases, and walks through generating both types securely.
Photo by Sora Shimazaki on Pexels
What Makes a Password Strong: Entropy, Not Complexity
Password strength is measured in bits of entropy. Entropy quantifies how unpredictable a password is. More entropy means more possible combinations an attacker has to try.
The Math Behind Entropy
Entropy = log2(possible characters ^ password length)
A random 8-character password using lowercase letters only (26 characters): log2(26^8) = 37.6 bits. An attacker trying all combinations at a rate of 10 billion guesses per second (achievable with modern GPUs) would exhaust the full keyspace in about 14 seconds.
A random 12-character password using uppercase, lowercase, digits, and symbols (95 characters): log2(95^12) = 78.8 bits. At the same cracking speed, exhausting this keyspace would take roughly 6 million years.
A random 16-character password using the same 95-character set: log2(95^16) = 105 bits. This is effectively uncrackable by brute force with any foreseeable technology.
The takeaway: length matters exponentially more than character variety. Adding 4 characters to a password does more for security than adding special characters to a shorter one.
Why Human-Chosen Passwords Fail
The entropy calculations above assume truly random selection. When humans choose passwords, they follow patterns: dictionary words, predictable substitutions (@ for a, 0 for o, 3 for e), keyboard walks (qwerty, 1qaz2wsx), and appended numbers or punctuation. Attackers model these patterns into their cracking dictionaries.
A study by Carnegie Mellon's CyLab found that passwords meeting typical complexity requirements (8+ characters, uppercase, lowercase, digit, symbol) had an average effective entropy of only 30 to 35 bits because users gravitate toward the same predictable patterns. True randomness is what the math requires, and humans are bad at randomness.
"Every client project starts with the same conversation about password policies. The ones who enforce 8-character minimums with complexity rules think they are secure. The ones who enforce 16-character minimums with no complexity rules actually are." - Dennis Traina, 137Foundry
Passwords vs Passphrases
There are two viable approaches to generating strong credentials: random character strings and random word passphrases. Both work, but they optimize for different use cases.
Random Character Passwords
A string like k7#Pq$mR9xvL2nW! has high entropy per character and is compact. It is ideal for passwords stored in a password manager because you never need to type or remember it. The randomness comes from a cryptographically secure random number generator (CSPRNG), not from a human making "random" choices.
Random Word Passphrases
A passphrase like correct horse battery staple (the famous XKCD 936 example) uses randomly selected dictionary words. With a word list of 7,776 words (the EFF Diceware list), each word adds about 12.9 bits of entropy. A 5-word passphrase has 64.6 bits. A 6-word passphrase has 77.5 bits.
Passphrases are easier to type on mobile devices, easier to dictate over the phone, and easier to enter on systems that do not support paste. They are the better choice for passwords you might need to type manually, like your password manager's master password or your device unlock.
Photo by Abdelrahman Ahmed on Pexels
Which to Choose
- Passwords you will store in a manager: Random characters, 16+ characters
- Your password manager's master password: Passphrase, 5-6 random words
- Device unlock or PIN: Longest allowed, random digits
- SSH keys and API tokens: Machine-generated, maximum supported length
Generating Truly Random Passwords
The critical word in password generation is "random." Not human-random. Cryptographically random. This free password tool uses crypto.getRandomValues(), the browser's built-in cryptographic random number generator, to produce passwords that are truly unpredictable. No server-side processing, no stored passwords, no network requests. The generation happens entirely in your browser.
The tool offers two modes:
Character mode: Set your desired length (16+ recommended), choose which character types to include (uppercase, lowercase, digits, symbols), and generate. Each character is selected independently and uniformly from the allowed set using the CSPRNG. The tool also shows a real-time strength analysis with entropy calculation and estimated crack time.
Passphrase mode: Generate a sequence of random words from a curated word list. Select the number of words (5-6 recommended), optional separator character, and optional capitalization. Each word is selected independently using the CSPRNG.
Both modes display the password's entropy in bits and an estimated crack time at 10 billion guesses per second, so you can see exactly how strong your generated credential is.
Password Hygiene Beyond Generation
A strong password is necessary but not sufficient. The rest of the security chain matters too.
One Password Per Account
According to the OWASP Authentication Cheat Sheet, credential reuse is the single most exploited vulnerability in authentication systems. When a breach exposes your email and password on one site, attackers immediately try the same combination on banking, email, and social media accounts. One unique password per account contains the blast radius of any single breach.
Use a Password Manager
A password manager stores all your unique, high-entropy passwords behind a single master passphrase. You memorize one strong passphrase and the manager handles the other 200. Major options include Bitwarden, 1Password, and KeePass. The master passphrase should be a 5-6 word randomly generated passphrase that you commit to memory.
Enable Two-Factor Authentication
Even a perfect password can be compromised through phishing or server-side breaches. Two-factor authentication (2FA) adds a second verification step. Hardware security keys (YubiKey, Google Titan) are the strongest option, followed by authenticator apps (Google Authenticator, Authy). SMS-based 2FA is better than nothing but vulnerable to SIM-swapping attacks.
Check for Breaches
Have I Been Pwned lets you check whether your email or password has appeared in known breaches. The site was created by security researcher Troy Hunt and is widely trusted by the security community. If any of your passwords appear in a breach, change them immediately.
Photo by Pixabay on Pexels
Common Password Myths
"Special Characters Make Passwords Stronger"
Only if the password is also long and random. P@$$w0rd has special characters but is trivially cracked because it follows a predictable substitution pattern. rnfk4829xpqmz (13 random lowercase letters and digits) is harder to crack despite having no special characters because it has more entropy.
"Changing Passwords Frequently Improves Security"
NIST's 2024 guidelines explicitly recommend against mandatory password rotation unless there is evidence of compromise. Forced rotation leads to weaker passwords (users increment: Password1, Password2, Password3) and increased helpdesk costs.
"Longer Passwords Are Always Better"
Longer random passwords are always better. Longer predictable passwords are not. "ilovemydogmaxandmycatlunaverymuch" is long but follows natural language patterns that attack dictionaries can model. Length only helps when combined with randomness.
"Password Managers Are a Single Point of Failure"
This concern comes up frequently and sounds logical on the surface. If someone compromises your password manager, they get everything. But the alternative, reusing weak passwords across dozens of sites, is far more likely to be exploited. A password manager with a strong master passphrase, stored in encrypted vaults with zero-knowledge architecture, is orders of magnitude more secure than human memory. The key is choosing a reputable manager with transparent security audits and enabling two-factor authentication on the manager account itself. Bitwarden, for example, publishes independent security audit results and uses end-to-end encryption where even the company cannot access your vault.
"Biometrics Replace Passwords"
Fingerprints and face recognition are convenient authentication factors, but they are not passwords. A fingerprint cannot be changed if compromised. Face recognition can be spoofed with sufficiently detailed photos or 3D models. Biometrics work best as a second factor alongside a strong password, not as a replacement. The FIDO2 standard and passkeys are moving the industry toward passwordless authentication, but strong passwords remain the fallback and recovery mechanism in most systems.
Related Tools and Resources
More EvvyTools for Security and Development
- Hash Generator - generate MD5, SHA-256, and HMAC hashes for integrity verification
- Encoding Toolkit - encode and decode Base64, URL, HTML entities, and other formats
- JWT Decoder - decode and inspect JSON Web Tokens for authentication debugging
External Resources
- NIST SP 800-63B: Digital Identity Guidelines - the authoritative standard for password policy
- EFF Dice-Generated Passphrases - instructions and word lists for generating diceware passphrases
- Have I Been Pwned - check if your credentials appear in known breaches
- OWASP Password Storage Cheat Sheet - how to store passwords securely on the server side
The Best Password Is One You Never Need to Remember
Generate a random 5-word passphrase for your password manager. Generate random 16+ character passwords for everything else. Let the password manager remember them all. Use this free password tool to generate both types with cryptographic randomness, and stop trusting your brain to be random. It is not.
