What are the key takeaways from this guide?

Password strength is measured in bits of entropy — the number of possible combinations.. Four to six randomly selected words from a large dictionary.. Use a password manager (1Password, Bitwarden). Use personal information (birthdays, names). Use a cryptographically secure random number generator (CSPRNG), never `Math..

Who is this guide for?

This guide is designed for beginner-level users and takes about 1 minutes to read.

Best Practice Beginner 1 min read 274 words

Password Strength and Generation: A Security Guide

Weak passwords remain the leading cause of account breaches. This guide covers password entropy calculation, generation strategies, and storage best practices.

Key Takeaways

Password strength is measured in bits of entropy — the number of possible combinations.
Four to six randomly selected words from a large dictionary.
Use a password manager (1Password, Bitwarden)
Use personal information (birthdays, names)
Use a cryptographically secure random number generator (CSPRNG), never `Math.

Featured Tool

Password Generator

Generate strong, random passwords

Try it Free

What Makes a Password Strong

Password strength is measured in bits of entropy — the number of possible combinations. Higher entropy means more guesses required to crack it.

Entropy = log2(characters ^ length)

Password Type	Characters	Length	Entropy
4-digit PIN	10	4	13.3 bits
Lowercase only	26	8	37.6 bits
Mixed case + numbers	62	8	47.6 bits
Full ASCII printable	95	12	78.8 bits
Passphrase (4 words)	~7,776	4 words	~51.7 bits

Generation Strategies

Random Character Strings

Maximum entropy per character. Use a cryptographically secure random number generator (CSPRNG), never Math.random() or Python's random module. Use secrets (Python) or crypto.getRandomValues() (JavaScript).

Passphrase (Diceware)

Four to six randomly selected words from a large dictionary. Easier to remember, similar entropy to a 10-12 character random string. Example: correct-horse-battery-staple (classic XKCD reference, 44 bits with 4 common words — use a 7,776-word list for better entropy).

Pronounceable Passwords

Alternating consonant-vowel patterns create memorable strings: bapido-kumefa-niratu. Lower entropy than pure random but more memorable.

Storage Best Practices

Use a password manager (1Password, Bitwarden)
Generate unique passwords for every site
Minimum 16 characters for important accounts
Enable two-factor authentication (TOTP or hardware key) wherever available

What NOT to Do

Reuse passwords across sites
Use personal information (birthdays, names)
Apply predictable substitutions (@ for a, 3 for e) — attackers know these patterns
Rely on complexity rules (uppercase + symbol) instead of length