What is a strong password?
A strong password is long, random, and combines multiple character types — uppercase letters, lowercase letters, numbers, and symbols. Length is the single most important factor: each additional character multiplies the number of possible combinations exponentially, making automated attacks impractical regardless of computing power. A 20-character random string is vastly stronger than any memorable phrase, regardless of how "complex" it appears.
How password strength is calculated
This tool measures strength using Shannon entropy — a mathematical measure of information unpredictability. Entropy is calculated as E = length × log₂(pool size) where pool size is the total number of unique characters available. The result is expressed in bits: higher bits mean exponentially more guesses required. Security researchers generally consider 70+ bits sufficient for most uses, and 100+ bits as resistant to foreseeable hardware advances.
What is password entropy?
Entropy quantifies how unpredictable a password is. A password with 40 bits of entropy has roughly 2⁴⁰ (~1 trillion) possible values. At 10 billion guesses per second — a realistic figure for modern GPU cracking rigs — an attacker would exhaust half of those combinations in under 2 minutes. At 80 bits of entropy, the same hardware would require thousands of years. Increasing password length from 10 to 20 characters typically doubles the entropy, making length improvements far more efficient than adding complexity alone.
Brute-force attacks explained
A brute-force attack systematically tries every possible password combination until the correct one is found. Modern attackers use specialized GPU hardware capable of testing billions of guesses per second against offline password hashes. Dictionary attacks are a faster variant: they first try millions of known passwords, common words, and leaked credentials before attempting random combinations. This is why using unique, randomly generated passwords — rather than memorable phrases — is critical. A password that appears in any known data breach is effectively compromised regardless of complexity.
Common password mistakes
Reusing passwords
If one site is breached, all accounts using that password are immediately at risk.
Using personal information
Names, birthdays, and pet names are the first things attackers try.
Simple substitutions
P@ssw0rd is no safer than Password — attackers account for common letter swaps.
Short passwords
Any password under 10 characters can typically be cracked in seconds with modern hardware.
Password security best practices
Use a unique password for every account — never reuse passwords across sites.
Enable two-factor authentication (2FA) wherever it is supported.
Avoid personal information like names, birthdays, or dictionary words.
Store credentials in a password manager rather than writing them down.
Password managers explained
A password manager is software that generates, stores, and autofills strong, unique passwords for every account you use — encrypted locally with a single master password only you know. Instead of memorizing dozens of credentials, you remember one strong passphrase and the manager handles the rest. Popular options include Bitwarden (open source), 1Password, and Dashlane.
Multi-factor authentication (MFA)
MFA requires a second verification step beyond your password — such as a time-based one-time code from an authenticator app, a hardware security key, or a biometric scan. Even if an attacker obtains your password through a breach or phishing attack, MFA prevents them from accessing your account without the second factor. Enable MFA on every account that supports it, prioritizing email, banking, and cloud storage.
Complete browser-local isolation
Many password tools transmit strings over server relays or run background telemetry that maps clipboard events. This tool relies entirely on the client-side Web Crypto API (window.crypto.getRandomValues). Your generated passwords are never exposed to remote endpoints, retaining complete security containment within your running browser instance.