Most password advice is either too vague ("use a strong password!") or too paranoid to follow in practice. This guide cuts through the noise — here's what actually determines password security, what's myth, and how to generate passwords that are genuinely hard to crack.
You can generate a secure password right now with the DevToolShack Password Generator and check how strong an existing one is with the Password Strength Checker — both run entirely in your browser.
What Actually Makes a Password Strong?
Two things matter above everything else: length and randomness. Everything else is secondary.
Length
Every additional character multiplies the number of possible passwords an attacker has to try. An 8-character password using uppercase, lowercase, digits, and symbols has about 6.7 quadrillion combinations. A 16-character password using the same character set has 45 septillion. That's not twice as hard to crack — it's billions of times harder.
Randomness (Entropy)
A password has to be unpredictable. Password1! technically meets most complexity requirements but it's one of the first passwords every cracking tool tries. True randomness means the password is generated by a cryptographically secure random number generator — not your brain, which is terrible at producing random sequences.
The Myths Worth Debunking
| Myth | Reality |
|---|---|
| Complexity rules make passwords stronger | A random 16-char lowercase password beats a 8-char "complex" one |
| Changing passwords regularly improves security | NIST now recommends against forced rotation — it leads to weaker passwords |
l33t speak is clever (p@ssw0rd) | Cracking tools substitute these automatically — it adds almost nothing |
| Longer words with spaces are weak | A 4-word passphrase like correct-horse-battery-staple is extremely strong |
Password Length Guide
| Use Case | Recommended Length | Notes |
|---|---|---|
| General accounts | 16+ characters | Random, stored in password manager |
| High-value accounts (banking, email) | 20+ characters | Unique per site, never reused |
| Master password / password manager | 20+ characters | Memorable passphrase works well here |
| API keys / tokens | 32+ characters | Use a generator, never hand-craft |
| Encryption keys | Use proper key derivation | Not a password — use bcrypt/Argon2 |
How the Password Generator Works
The Password Generator uses the browser's crypto.getRandomValues() API — the same cryptographically secure random source used for encryption. This is fundamentally different from Math.random(), which is not cryptographically secure and should never be used to generate passwords or tokens.
You can configure:
- Length — from short PINs to 64-character keys
- Character sets — uppercase, lowercase, digits, symbols
- Exclude ambiguous characters — avoid
0/O,l/1/Iconfusion when typing manually - Bulk generation — generate multiple passwords at once
Checking Password Strength
The Password Strength Checker analyses passwords against real-world cracking criteria — not just the checkbox rules ("has uppercase? has number?") that most sites use. It estimates crack time based on entropy and common pattern detection.
A password that passes every complexity checkbox but follows a common pattern (keyboard walks like qwerty123!, dates, names) will score poorly — as it should.
The One Rule That Matters Most: Never Reuse
The single biggest risk isn't a weak password on one site — it's using the same password across multiple sites. When any one of those sites gets breached (and they do, constantly), attackers automatically try your credentials on every other major service. This is called credential stuffing, and it's devastatingly effective.
A password manager solves this completely. It generates and stores a unique, random password for every site. You remember one strong master password; the manager handles everything else.
Passphrases: A Strong Alternative
For passwords you need to type manually — your computer login, your password manager master password — a passphrase is often the best approach. Four or more random words strung together:
timber-falcon-notebook-sevenThis is 28 characters, easy to type, and has enormous entropy because the words are chosen randomly. The key word is randomly — "I love my cat fluffy" is not a passphrase; it's a sentence an attacker would try.
For Developers: Generating Secure Tokens
When generating API keys, session tokens, or reset links in code, use a cryptographically secure source:
// Node.js — cryptographically secure random token
import { randomBytes } from 'crypto';
const token = randomBytes(32).toString('hex');
// 64-character hex string, 256 bits of entropy# Python — cryptographically secure random token
import secrets
token = secrets.token_hex(32) # 64-char hex, 256 bitsNever use Math.random() or random.random() for security-sensitive values. They're not cryptographically secure and can be predicted given enough samples.