Most people know weak passwords are dangerous — but few understand why a particular password is weak or exactly how attackers crack them. This guide explains password entropy, how random generators work, and practical advice for keeping accounts secure.
What Makes a Password Strong?
Password strength comes down to two factors: length and unpredictability. Longer passwords with larger character sets take exponentially more attempts to crack.
The metric for this is entropy, measured in bits. A password with n bits of entropy would require up to 2n guesses to crack by brute force. Each bit of entropy doubles the search space.
Password Entropy by Character Set
| Character Set | Size | Bits per character | 12-char entropy |
|---|---|---|---|
| Lowercase only (a–z) | 26 | 4.7 bits | 56 bits |
| + Uppercase (A–Z) | 52 | 5.7 bits | 68 bits |
| + Digits (0–9) | 62 | 5.95 bits | 71 bits |
| + Symbols (!@#$…) | 94 | 6.55 bits | 78 bits |
A 12-character password using all character types has ~78 bits of entropy. At 10 billion guesses per second (a realistic GPU cracking speed), exhausting this space would take longer than the age of the universe. A 6-character lowercase password? About 3 minutes.
Length Beats Complexity
Adding one more character to a password increases its entropy by ~6.5 bits — doubling the effective search space 6.5 times. Forcing users to add a symbol instead of making the password longer often results in less secure passwords because users choose predictable substitutions: p@ssw0rd instead of a random longer string.
The current NIST recommendation (SP 800-63B) prioritizes length over complexity rules, and recommends checking passwords against known breach lists rather than enforcing arbitrary symbol requirements.
How Password Crackers Work
Attackers do not start with random brute force. They use ordered strategies:
- Dictionary attacks — try words from dictionaries and known leaked password lists (rockyou.txt has 14 million real passwords).
- Rule-based attacks — apply transformations to dictionary words: capitalize first letter, append a digit, substitute
e→3,a→@. - Hybrid attacks — combine words:
correct-horse-battery-stapleis memorable but a hybrid cracker will try word combinations. - Brute force — try every possible combination. Only practical for short passwords.
The most secure passwords are random — generated by a machine, not chosen by a human. Human-chosen passwords follow predictable patterns even when the user thinks they're being creative.
Cryptographically Secure vs Math.random()
Not all random number generators are equal. JavaScript's Math.random() is a pseudorandom number generator (PRNG) — fast, but predictable given the seed. It is not suitable for generating passwords or security tokens.
The Web Crypto API (crypto.getRandomValues()) uses the operating system's cryptographically secure random source, which draws from hardware entropy (CPU timing jitter, mouse movement, etc.). This is what secure password generators use.
// ❌ Insecure — don't use for passwords
const random = Math.random()
// ✅ Cryptographically secure
const array = new Uint32Array(1)
crypto.getRandomValues(array)
const random = array[0]Recommended Password Lengths
| Use Case | Minimum Length | Notes |
|---|---|---|
| General accounts | 16 characters | Use a password manager |
| Banking / email | 20+ characters | High-value targets |
| Master password | 24+ characters | Memorize this one |
| API keys / secrets | 32+ characters | Full random, store in vault |
| Encryption keys | 128+ bits | Use a KDF, not raw password |
Password Managers
The only practical way to use long, unique, random passwords for every site is a password manager. It generates and stores credentials so you only remember one strong master password.
Reusing passwords is the biggest real-world risk. When a site is breached and passwords are leaked, attackers immediately try those credentials on Gmail, banking, and other services — a technique called credential stuffing. A unique password per site limits the blast radius to a single account.
Multi-Factor Authentication
Even a perfect password is not enough if it is phished or leaked. Enable multi-factor authentication (MFA) on every account that supports it. Authenticator apps (TOTP like Google Authenticator) are more secure than SMS. Hardware keys (YubiKey) are the most secure option for high-value accounts.
What to Avoid
- Dictionary words, even with substitutions (
p@ssw0rd) - Personal information: birthdays, names, pets
- Keyboard walks:
qwerty,123456,asdfgh - Reusing passwords across sites
- Storing passwords in plain text, spreadsheets, or notes apps
- Sharing passwords over email or chat