Introduction: Why Passwords Still Matter
Since the earliest days of time-sharing computer systems in the 1960s, passwords have been the primary gatekeeper between users and their data. Fernando Corbató, the MIT researcher who pioneered the Compatible Time-Sharing System (CTSS), introduced passwords in 1961 — not as a security measure, but simply to give each user private file space. More than six decades later, passwords remain the most widespread authentication mechanism on the internet, protecting everything from email accounts to banking systems.
Yet the average person reuses passwords across dozens of sites, chooses predictable patterns like Summer2024!, and has little intuition for what makes a password truly unguessable. This article takes a deep technical dive into password security: how entropy is calculated, why randomness matters, what the latest guidelines say, and how to build habits that actually protect you.
Understanding Entropy: The Mathematics of Unpredictability
Entropy in information theory measures unpredictability. For passwords, it answers the question: how many guesses would an attacker need, on average, to crack this password?
The formula is:
H = L × log₂(N)
Where:
- H = entropy in bits
- L = password length (number of characters)
- N = size of the character set (pool of possible characters)
Character Set Sizes
| Character Set | Size (N) | Bits per Character |
|---|---|---|
| Lowercase letters only | 26 | 4.7 bits |
| Lowercase + uppercase | 52 | 5.7 bits |
| Alphanumeric | 62 | 5.95 bits |
| Full printable ASCII | 94 | 6.55 bits |
| Extended ASCII / Unicode | 128+ | 7+ bits |
Entropy Examples
| Password | L | N | Entropy (H) |
|---|---|---|---|
password |
8 | 26 | 37.6 bits |
P@ssw0rd |
8 | 94 | 52.4 bits |
k9$mQzLw |
8 | 94 | 52.4 bits |
xK#7pL!qR2@v |
12 | 94 | 78.6 bits |
correct horse battery staple |
28 | 26 | 131.9 bits |
A password with 128+ bits of entropy is considered computationally infeasible to brute-force with current technology. For context, 256-bit AES encryption — considered unbreakable — corresponds to a key space of 2²⁵⁶ combinations.
CSPRNG vs Math.random(): Why Source of Randomness Matters
Not all random numbers are equal. The difference between a secure password generator and an insecure one often comes down to the source of randomness.
Math.random() — Not Suitable for Security
JavaScript's built-in Math.random() is a Pseudo-Random Number Generator (PRNG). It is fast and statistically uniform, but it is not cryptographically secure. Its internal state can be inferred from its output, meaning an attacker who observes enough values could predict future ones.
// ❌ Insecure — do NOT use for password generation
function insecurePassword(length) {
const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
return Array.from({ length }, () => chars[Math.floor(Math.random() * chars.length)]).join('');
}
crypto.getRandomValues() — The Right Tool
The Web Cryptography API provides crypto.getRandomValues(), which draws entropy from the operating system's Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). On Linux this is /dev/urandom; on Windows it is CryptGenRandom. These sources gather entropy from hardware events (keystrokes, disk I/O, network timing) and are considered cryptographically strong.
// ✅ Secure — uses CSPRNG
function generatePassword(length, charset) {
const array = new Uint32Array(length);
crypto.getRandomValues(array);
return Array.from(array, (val) => charset[val % charset.length]).join('');
}
const charset =
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-=[]{}|;:,.<>?';
console.log(generatePassword(16, charset));
// Example output: "aK7!xQz2#Lp9@Wm5"
Note on modulo bias: The example above has a slight modulo bias when
charset.lengthdoesn't evenly divide 2³². For production code, use rejection sampling to eliminate this bias entirely.
Character Sets and Complexity
Most password generators offer toggles for:
- Lowercase letters (a–z): 26 characters
- Uppercase letters (A–Z): 26 characters
- Digits (0–9): 10 characters
- Symbols (!@#$%^&*…): ~32 characters
Combining all four gives a pool of 94 printable ASCII characters. Each additional character in your password multiplies the search space by 94. A 12-character password from 94 characters has 94¹² ≈ 4.76 × 10²³ combinations — an astronomical number even for specialized hardware.
Why Length Trumps Complexity
Many legacy systems required "at least one uppercase, one digit, one symbol" but allowed 8-character passwords. An 8-character password from 94 characters has just 94⁸ ≈ 6 × 10¹⁵ combinations — crackable with a modern GPU cluster in hours. Extending to 16 characters of pure lowercase (26¹⁶ ≈ 4.4 × 10²²) actually provides more entropy than an 8-character complex password.
NIST SP 800-63B: Modern Password Guidelines
The US National Institute of Standards and Technology's NIST Special Publication 800-63B (Digital Identity Guidelines, 2017, updated 2024) overturned many widely-held assumptions about passwords:
What NIST Now Recommends
- Minimum length of 8 characters for user-chosen passwords; 15 characters for machine-generated passwords.
- Favor length over complexity — mandatory complexity rules (uppercase + digit + symbol) do not meaningfully increase security and frustrate users.
- Check passwords against breach lists — reject passwords found in known data breaches (e.g., via the HaveIBeenPwned API).
- No periodic forced rotation unless there's evidence of compromise — forced rotation leads to predictable patterns like
Summer2024→Autumn2024. - No composition rules — do not require specific character types; instead, allow all printable characters including spaces.
- Rate-limit and lock out authentication attempts to prevent online attacks.
These guidelines reflect the reality that human behavior under complexity constraints is predictable: people append ! to meet symbol requirements, capitalize only the first letter, and use years that are easy to remember.
Password Managers: The Practical Solution
The biggest security improvement most people can make is adopting a password manager. A password manager:
- Generates strong, unique passwords for every account
- Stores them in an encrypted vault (typically AES-256)
- Auto-fills credentials in browsers and apps
- Alerts you to reused or breached passwords
Popular Password Managers
| Tool | Type | Notable Feature |
|---|---|---|
| Bitwarden | Open-source, cloud/self-host | Free tier, audited |
| 1Password | Commercial, cloud | Travel mode, family plans |
| KeePass | Open-source, local | Full offline, plugin ecosystem |
| KeePassXC | Open-source, local | Cross-platform KeePass fork |
| Dashlane | Commercial, cloud | Dark web monitoring |
The master password for your password manager should be a long, memorable passphrase — the one password you do memorize.
Passphrases and the Diceware Method
For passwords you need to remember (like your password manager's master password), passphrases are far superior to complex short strings.
How Diceware Works
The Diceware method, created by Arnold Reinhold in 1995, uses physical dice to generate truly random word selections:
- Obtain the EFF Large Wordlist (7,776 words, indexed 11111–66666 in base-6)
- Roll 5 dice to get a 5-digit number (e.g., 2-4-1-3-6 → 24136)
- Look up the corresponding word (e.g., "clump")
- Repeat 6–8 times to build a passphrase
A 6-word Diceware passphrase drawn from 7,776 words has:
H = 6 × log₂(7776) = 6 × 12.93 ≈ 77.6 bits
"correct horse battery staple" (popularized by XKCD #936) contains 4 words from a ~2,000-word common vocabulary, giving ~44 bits of entropy — illustrative but too short. Six or more words from the full Diceware list is the practical recommendation.
Common Password Attacks
Understanding attacks helps you calibrate defenses.
Dictionary Attacks
Attackers use wordlists — ranging from millions to billions of entries — combined with rule-based mutations (capitalizing first letters, appending numbers, substituting @ for a). Tools like Hashcat can apply thousands of mutation rules per second. Any password derivable from a dictionary word with simple substitutions is vulnerable.
Brute-Force Attacks
Pure brute force tries every combination. With a dedicated GPU rig (8× RTX 4090), cracking speeds for common hashing algorithms are:
| Hash Algorithm | Speed (H/s) | Time to crack 8-char (94-char set) |
|---|---|---|
| MD5 | ~200 GH/s | ~8 hours |
| SHA-1 | ~70 GH/s | ~24 hours |
| bcrypt (cost 10) | ~184 kH/s | ~1,100 years |
| Argon2id | ~1 kH/s | ~200,000 years |
This table illustrates why proper password hashing on the server side matters enormously — but also why a 16-character random password resists even MD5 hashing.
Rainbow Tables
Pre-computed hash-to-password tables that trade storage for speed. Defeated entirely by salting — adding a unique random value to each password before hashing. Modern algorithms like bcrypt and Argon2 include salting by design.
Credential Stuffing
Using username/password pairs leaked from one breach to attack other services. The defense is unique passwords per site — which is where password managers shine.
Why Browser-Based Password Generation Is Safer
Our tool generates passwords entirely in your browser using JavaScript. No data ever leaves your device. Here's why that matters:
- No server transmission — the password never touches a network packet.
- No server logs — there is nothing to subpoena, leak, or breach.
- No third-party dependencies at generation time — no API calls, no external scripts during generation.
- Reproducible — you can inspect the source code to verify the logic.
Compare this to server-side generators: even with HTTPS, the generated password exists in server memory, could appear in access logs, and relies entirely on the operator's trustworthiness.
The relevant Web API is straightforward:
// The browser's CSPRNG — available in all modern browsers
const buffer = new Uint8Array(32);
self.crypto.getRandomValues(buffer);
// buffer now contains 32 cryptographically random bytes
Password Storage: bcrypt, scrypt, and Argon2
When services store passwords, they should never store plaintext or reversible encrypted forms. The correct approach is a password hashing function (PHF) — a slow, one-way function designed specifically for this purpose.
bcrypt
Designed in 1999 by Niels Provos and David Mazières, bcrypt incorporates a cost factor (work factor) that can be increased as hardware gets faster. A cost of 12 means 2¹² = 4,096 iterations of the Blowfish key setup. Standard today; widely supported.
scrypt
Designed by Colin Percival in 2009. Memory-hard — requires large amounts of RAM in addition to CPU time, making GPU/ASIC attacks expensive. Parameters: N (CPU/memory cost), r (block size), p (parallelization).
Argon2
Winner of the Password Hashing Competition (PHC) in 2015. Three variants:
- Argon2d: GPU-resistant, vulnerable to side-channel attacks
- Argon2i: Side-channel resistant, less GPU-resistant
- Argon2id: Hybrid — the recommended default
Argon2id with m=65536 (64 MB memory), t=3 (3 iterations), p=4 (4 threads) is the current gold standard for new applications.
Two-Factor Authentication: The Essential Complement
Even a perfect password can be stolen via phishing, keyloggers, or data breaches. Two-factor authentication (2FA) ensures that a stolen password alone is not enough.
2FA Methods (Weakest to Strongest)
| Method | Mechanism | Attack Resistance |
|---|---|---|
| SMS OTP | Code sent via text | Phishable, SIM-swappable |
| TOTP (Google Authenticator) | Time-based 6-digit code (RFC 6238) | Phishable in real-time |
| Push notification | Approve/deny on phone | Phishable (MFA fatigue) |
| Hardware key (FIDO2/WebAuthn) | YubiKey, Passkey | Phishing-resistant |
| Passkeys | Device-bound cryptographic key | Strongest; replaces passwords |
FIDO2/WebAuthn hardware keys and passkeys are phishing-resistant by design because the cryptographic challenge-response is bound to the exact domain. A fake site cannot replay the credential.
Best Practices Summary
- Use a password manager — generate and store unique passwords for every account.
- Minimum 16 characters for sensitive accounts; 12 minimum everywhere else.
- Enable 2FA — preferably FIDO2/WebAuthn or TOTP; avoid SMS where possible.
- Never reuse passwords — a breach on one site should not compromise others.
- Check HaveIBeenPwned — verify your email addresses and passwords haven't appeared in known breaches.
- Use a passphrase for your master password — 6+ Diceware words, memorable, extremely strong.
- Distrust complexity theater —
P@ssw0rd123is far weaker thanxK8mLq2vZnRj. - Prioritize length — 20 random lowercase letters (94 bits) beats 12 complex characters (78 bits).
- Update breached passwords immediately — rotate only when compromised, not on arbitrary schedules.
- Use breach-check tools — services like Firefox Monitor or 1Password Watchtower monitor your accounts continuously.
Frequently Asked Questions
Q: How long should my password be? For most accounts, 16 random characters from a full 94-character set gives ~105 bits of entropy — more than sufficient. For high-value accounts (banking, email, password manager), use 20+ characters or a 6-word passphrase.
Q: Is it safe to use an online password generator? Only if all generation happens client-side (in your browser) with no server communication. Our tool meets this requirement. Verify by checking the browser's network tab — no requests should fire when you generate a password.
Q: Should I include symbols? Symbols increase entropy per character (6.55 bits vs 5.17 bits for lowercase only), so yes — if the site allows them. However, some sites restrict certain symbols. A longer password without symbols can match the entropy of a shorter one with symbols.
Q: Can quantum computers crack my password? Grover's algorithm gives quantum computers a quadratic speedup for brute-force attacks, effectively halving the security bits. A 256-bit key becomes ~128-bit secure. For passwords, this means 256-bit entropy passwords would be needed for long-term quantum resistance — achievable with a 40-character password from 94 characters (262 bits). For most current threats, 128-bit entropy (20 random characters) is more than sufficient.
Q: What's wrong with memorable passwords like ILovePizza2024?
They are dictionary-attackable. Hashcat's rule engine trivially generates millions of variations of common phrases with leetspeak, capitalization, and appended numbers. Even seemingly personal passwords follow patterns that attackers model statistically.
Q: How does this tool generate randomness?
We use crypto.getRandomValues() — the Web Cryptography API backed by your operating system's CSPRNG. This is the same source of randomness used by TLS/SSL, SSH key generation, and other cryptographic operations in your browser.