A complete guide to generating genuinely secure passwords — covering the science of randomness, what makes passwords weak, how to choose the right length and character set, and the tools to use.
Before generating a secure password, it helps to understand why most passwords fail. Security researchers analysing breach databases consistently find the same patterns:
The common thread: human-generated passwords are not random. A genuine random generator with sufficient entropy eliminates all of these weaknesses at once.
Length is the single most impactful parameter for password security. Each additional character multiplies the keyspace by the number of possible characters at that position.
For a full 94-character ASCII set: 12 characters → 78.7 bits, 16 characters → 104.9 bits, 20 characters → 131.1 bits. 80 bits is the commonly cited threshold for 'computationally secure' under current hardware. 100+ bits is effectively unbreakable with any foreseeable technology.
Recommendation: Use 16 characters minimum for all accounts. Use 20+ for email accounts (the master key to all other accounts), your password manager's master password, and banking credentials.
Enabling more character types expands the pool of possible characters, increasing entropy per character:
If a website limits you to a small character set (numbers only, or no symbols), compensate by increasing length.
Never create passwords manually — the human brain cannot generate true randomness. Instead, use a generator that calls crypto.getRandomValues(), the browser's Web Crypto API.
crypto.getRandomValues()
This API draws entropy from the operating system's entropy pool — hardware events like mouse movement, CPU timing jitter, and disk access — making the output genuinely unpredictable. The same source is used by TLS, SSH, and full-disk encryption.
After generating, check your password against breach patterns using the Breach Pattern Checker, which analyses 15+ common breach patterns locally without sending any data to a server.
Store generated passwords in a reputable password manager — never in a plaintext file, browser autofill without a master password, or a spreadsheet. Enable two-factor authentication on your password manager account for an additional layer of protection.