How to Generate Secure Passwords: What Makes a Password Unbreakable

What Makes a Password Secure?

Password security is fundamentally about entropy — the mathematical unpredictability of a password. High entropy means an attacker can't guess or systematically crack it in a reasonable timeframe, even with dedicated cracking hardware.

Understanding Password Entropy

Entropy is measured in bits. The formula is:

Entropy = log₂(charset_size ^ password_length) Or equivalently: log₂(charset_size) × password_length

For a password using lowercase letters only (26 characters), 8 characters long:

Entropy = log₂(26⁸) = log₂(208,827,064,576) ≈ 37.6 bits

For a password using all printable ASCII (95 characters), 8 characters long:

Entropy = log₂(95⁸) ≈ 52.6 bits

For a 16-character password with full ASCII charset:

Entropy = log₂(95¹⁶) ≈ 105.2 bits

As a rough guideline:

• Below 40 bits: Insecure (crackable in seconds with modern hardware)
• 40–60 bits: Low security (crackable in hours to days)
• 60–80 bits: Moderate (crackable in years with dedicated hardware)
• 80–100 bits: Strong (would take centuries with current technology)
• 100+ bits: Very strong (effectively unbreakable with any foreseeable technology)

Why Length Beats Complexity

Adding one more character to a password multiplies the search space. Adding character classes (uppercase, symbols) only multiplies it by a fixed amount.

Compare:

• 8 characters, all ASCII (95 chars): 95⁸ ≈ 6.6 × 10¹⁵ combinations
• 12 characters, lowercase only: 26¹² ≈ 9.5 × 10¹⁶ combinations

The 12-character lowercase password has 14x more combinations than the 8-character complex password, even though it uses a smaller charset.

The NIST 2024 recommendation: Focus on password length (minimum 12 characters, ideally 16+). Stop requiring arbitrary complexity rules like "must include uppercase, number, and symbol" — these rules make passwords harder to remember without proportionally improving security.

Types of Password Attacks

Brute force attack: Try every possible combination systematically. Effective against short passwords; completely impractical against long ones. A 16-character random password would take longer than the age of the universe to crack with current hardware.

Dictionary attack: Try common words and known passwords from data breaches. This is why password, qwerty123, and iloveyou are immediately crackable. Attackers use wordlists with billions of known passwords.

Rule-based attacks: Apply common transformations to dictionary words: password → P@ssw0rd, Password1!. Crackers do this automatically. If you're replacing letters with symbols the same way (a→@, e→3, o→0), it's not adding much security.

Credential stuffing: Use username/password pairs from previous data breaches on other sites. This is why never reusing passwords is critical — one breach shouldn't compromise all your accounts.

Rainbow table attacks: Pre-computed tables of hash values. Defeated by salted hashing, which is why modern systems store salted password hashes.

The Passphrase Approach

A passphrase is a series of random words: correct-horse-battery-staple (from the famous XKCD comic).

Four random common English words:

• Charset: ~2,000 common words
• Entropy = log₂(2000⁴) ≈ 43.9 bits

Five random words:

• Entropy = log₂(2000⁵) ≈ 54.9 bits

Passphrases are easier to remember than random character strings while achieving good entropy. The key word is random — the words must be chosen randomly, not made up by you (human choices are predictable).

What NOT to Do

• Personal information — birthdate, pet's name, hometown, phone number, ID numbers
• Common substitutions — P@ssw0rd is in every cracker's rulebook
• Sequential patterns — 123456, abcdef, qwerty
• Keyboard patterns — qweasdzxc
• Words from your life — your favorite band, sports team, child's name
• Short passwords — Anything under 12 characters is risky for sensitive accounts

Password Manager — The Real Solution

The only practical solution for strong, unique passwords on every site is a password manager. It generates and stores cryptographically random passwords like Kj#9mP2$xLqN8@vR for every site, and you only need to remember one strong master password.

Popular options: Bitwarden (open source, free), 1Password, Dashlane. Browser-built-in password managers (Chrome, Safari) are also reasonable for casual use.

How Our Password Generator Works

Our Password Generator uses the browser's crypto.getRandomValues() API — a cryptographically secure random number generator. This is the same randomness source used in cryptography libraries. It never calls a server; all generation happens locally in your browser.

You can configure:

• Length (up to 128 characters)
• Character sets (uppercase, lowercase, numbers, symbols)
• Exclusion of ambiguous characters (0/O, l/1/I)
• Generate passphrases

Check existing passwords with our Password Strength Checker to see estimated crack time.