Password Security Guide
Everything you need to know about creating and managing strong passwords. No fluff, just the essentials.
Why strong passwords matter
Weak passwords are the most common way online accounts get compromised. According to Verizon's Data Breach Investigations Report, over 80% of hacking-related breaches involve stolen or weak credentials. A strong password is your first and most important line of defense.
When a service gets breached, attackers obtain hashed versions of user passwords. They then use specialized hardware to try billions of guesses per second. The shorter and simpler your password, the faster it falls.
How password cracking works
Attackers use several techniques to crack passwords:
- Brute force
- Trying every possible combination. A 6-character lowercase password has about 309 million combinations — crackable in seconds on modern hardware. A 16-character password mixing all character types has over 1030 combinations, making brute force infeasible.
- Dictionary attacks
- Using lists of common passwords, English words, and known leaked passwords. "password123" and "qwerty" are tried within the first few thousand guesses.
- Credential stuffing
- Using email/password pairs from one breach to log into other services. This is why reusing passwords across sites is dangerous — one breach compromises all your accounts.
How long should a password be?
Length is the single most important factor in password strength. Every additional character exponentially increases the number of possible combinations.
| Length | Character types | Time to crack |
|---|---|---|
| 8 | Lowercase only | Seconds |
| 8 | Mixed + numbers + symbols | Hours to days |
| 12 | Mixed + numbers + symbols | Centuries |
| 16 | Mixed + numbers + symbols | Longer than the age of the universe |
| 20+ | Any combination | Effectively uncrackable |
Estimates assume offline attack at 100 billion guesses per second (high-end GPU cluster).
For most accounts, 16 characters or more with a mix of character types provides excellent security. For critical accounts (email, banking), consider 20 or more.
Password best practices
- Use a unique password for every account. If one service gets breached, your other accounts remain safe.
- Use a password manager. Tools like 1Password, Bitwarden, or the built-in managers in iOS and macOS let you generate and store unique passwords without memorizing them.
- Enable two-factor authentication (2FA). Even a strong password can be phished. 2FA adds a second layer that requires physical access to your device.
- Prefer random passwords over passphrases for online accounts.While "correct horse battery staple" is a memorable passphrase, a 20-character random string is stronger per character and works better with a password manager.
- Never share passwordsover email, chat, or text messages. Use a password manager's secure sharing feature instead.
- Check for breaches. Services like Have I Been Pwned let you check if your email or passwords have appeared in known data breaches. Change any compromised passwords immediately.
What makes a password generator secure?
Not all random password generators are equal. A secure generator should:
- Use a cryptographically secure random number generator (like the Web Crypto API's
crypto.getRandomValues) instead ofMath.random, which is predictable. - Run entirely in your browser. The password should never be sent to a server. If a generator requires an internet connection or sends network requests, your password could be intercepted or logged.
- Avoid modulo bias. Naive implementations that use
randomValue % characterCountproduce subtly biased results. A proper implementation uses rejection sampling to ensure every character is equally likely. - Guarantee character type representation. If you select uppercase, lowercase, numbers, and symbols, the generated password should always contain at least one of each.
This generator implements all of the above. You can verify this by viewing the source code — everything runs client-side with no network calls.