Generating Secure Passwords: Entropy, Length and Myths
Most password advice is a tangle of half-truths: add a symbol, swap an a for an
@, change it every month. Some of it helps, a lot of it does not, and a few rules
actively make passwords weaker. One idea cuts through all of it, and that idea is entropy.
Once you understand it, choosing a strong password becomes simple.
Strength means unpredictability
A password is strong when it is hard to guess, and “hard to guess” has a precise meaning: how many possibilities an attacker would have to try. That number is captured by entropy, measured in bits. Each extra bit doubles the number of guesses required. A password with 40 bits of entropy takes a trillion guesses on average; one with 70 bits is effectively out of reach for brute force. The whole game is maximising entropy.
Where entropy comes from
Two things drive entropy: how many characters you choose from, and how many characters long the password is. Crucially, length is the more powerful lever. Adding one character multiplies the search space by the size of your alphabet, so a longer password gains strength much faster than a short one sprinkled with symbols.
A 16-character random password is dramatically stronger than an 8-character one, even if the short one uses every symbol on the keyboard. Length is the cheapest strength you can buy.
The myths worth dropping
- “Complexity rules make passwords strong.” They help only if they add
real randomness. In practice, forcing a capital and a digit pushes people to predictable patterns
like
Password1!, which attackers try first. - “Character substitution fools crackers.” Swapping
ofor0orafor@is in every cracking dictionary. It adds almost no entropy. - “Change your password every 30 days.” Frequent forced changes lead to
weaker, incremental passwords (
Spring2026→Summer2026). Modern guidance is to change a password only when there is a reason to, such as a breach.
What actually works
There are two reliable approaches, and both rely on randomness rather than cleverness:
- A long random string. Let a generator pick 16 or more characters at random from a large alphabet. You will not memorise it, and you do not need to. That is what a password manager is for.
- A random passphrase. Four or more randomly chosen words strung together are easy to type and remember while carrying plenty of entropy. The key word is random: a famous quote has almost none.
Generate, do not invent
Humans are bad random number generators. We lean on names, dates and keyboard patterns without realising. A password generator removes that bias by drawing from a cryptographically secure random source. A good one runs entirely in your browser, so the password it produces is never sent anywhere. Generate it, drop it straight into a password manager, and never reuse it on another site.
For non-login secrets such as API keys, signing secrets and tokens, you want the same randomness but often a specific length or format. A secret key generator or a random hex generator is built for exactly that.
How sites should store them
Strength on your side only helps if the service stores passwords properly on theirs. A responsible site never keeps your raw password; it stores a slow, salted hash. If you are curious why a fast hash like MD5 is the wrong tool for this, see our guide on hashing vs encryption vs encoding.
Frequently asked questions
What makes a password strong?
Unpredictability, measured as entropy. That comes mainly from length and from each character being chosen at random. A long, randomly generated password is far stronger than a short one padded with symbols in a predictable pattern.
Is a longer password better than a complex one?
Usually yes. Each extra character multiplies the number of possibilities, so length adds strength quickly. Complexity rules help only when they increase real randomness, not when they push people toward predictable tricks like Password1.
How long should a password be?
For an important account, aim for at least 16 random characters, or a passphrase of four or more random words. More is better, and a password manager removes the need to remember any of them.
Are random passwords from a generator safe to use?
Yes, provided the generator uses a cryptographically secure random source and runs in your browser without sending the value anywhere. Save the result in a password manager rather than reusing it across sites.