How to Generate Secure Passwords (and Why Length Wins)
· 5 min read
Most advice about passwords is wrong, or at least outdated. The old rules pushed us toward short strings stuffed with symbols, like "P@ssw0rd!", which are hard for humans to remember and surprisingly easy for machines to crack. The math says something different: length is the single biggest factor in how hard a password is to guess.
Entropy Is What Actually Matters
Password strength is measured in entropy, expressed in bits. Each bit doubles the number of guesses an attacker must make. Entropy depends on two things: the size of the character set you draw from, and the length of the password. A password from a 95-character set (uppercase, lowercase, digits, symbols) gains roughly 6.5 bits per character. So a 16-character random password carries about 104 bits of entropy, which is far beyond what any current hardware can brute-force in a human lifetime.
The key insight is that adding one more character multiplies the search space, while adding one more symbol type only widens it slightly. Length compounds. Complexity does not.
Length vs Complexity
Consider two passwords. The first is "X9$kQ" - five characters, looks scary, about 33 bits. The second is "correct horse battery staple" - four common words, about 44 bits, and far easier to type and recall. The second is stronger despite containing no symbols at all. This is the case for passphrases: strings of several random words. Four or five truly random words pulled from a large dictionary give you excellent entropy and a password you can actually memorize.
That said, you should not hand-pick the words yourself. Humans are predictable, and random choices cluster around common nouns and personal associations. Use a generator that selects words uniformly at random.
Generate, Don't Invent
For accounts you never type by hand, use long random strings. The Random Password Generator produces high-entropy passwords with the length and character sets you choose, so you can mint a fresh 20-character credential for every site. If you want to gut-check something you already use, the Password Strength Checker estimates entropy and flags patterns, dictionary words, and predictable substitutions.
When you evaluate any generator, the question that should come first is where the randomness comes from and whether anything leaves your device.
Why Client-Side Generation Matters
A password generated on a server is a password that, however briefly, existed somewhere you do not control. It traveled over a network, may have been logged, and trusted infrastructure you cannot audit. The safer model is generation that happens entirely in your browser using the platform's cryptographic randomness, with nothing transmitted. Both tools above run fully client-side, so the password is created on your machine and never uploaded. The only copy is the one you save.
Use a Password Manager
The reason people reuse weak passwords is that strong ones are unmemorable. The fix is to stop memorizing. A password manager stores a unique high-entropy password for every account behind one strong master passphrase. You only need to remember that one - make it a long passphrase of five or six random words - and let the manager handle the rest. This also defends against the worst real-world attack: credential stuffing, where a leak from one site is replayed against all your others. Unique passwords make that attack worthless.
Practical Rules
- Aim for at least 16 characters for random passwords, or five random words for passphrases.
- Never reuse a password across accounts.
- Let a manager generate and store them; only memorize the master passphrase.
- Enable two-factor authentication wherever it is offered - it covers you even if a password leaks.
- Prefer tools that generate locally and upload nothing.
Strong passwords are not about clever tricks. They are about giving an attacker so many possibilities that guessing becomes hopeless, and length is the cheapest way to buy that protection.