"P@ssw0rd!" satisfies almost every complexity rule ever written and cracks in under a second. "grape stapler morning violin" satisfies none of them and would take centuries. That gap is the whole story of modern password advice: what matters is how unpredictable a password is, not how many rules it ticks. This guide puts numbers on that idea so you can judge any password - or password policy - yourself.
Length Beats Complexity: Entropy in Plain Words
Password strength is measured in entropy - roughly, how many guesses an attacker needs. Each character drawn randomly from a pool of 94 printable characters adds about 6.6 bits; each added bit doubles the guessing work. That is why length wins: going from 8 to 16 characters does not double the strength, it multiplies it by roughly 6 quadrillion.
Here is what that means against a serious offline cracking rig making around 100 billion guesses per second (a realistic figure for a multi-GPU setup attacking a stolen password database):
| Random password | Entropy | Time to crack (100 billion guesses/sec) |
|---|---|---|
| 8 chars, letters only | ~38 bits | Under 2 seconds |
| 8 chars, all types | ~52 bits | About 18 hours |
| 12 chars, all types | ~78 bits | Roughly 150,000 years |
| 16 chars, all types | ~105 bits | About 12 trillion years |
The fine print: these numbers assume the password is truly random. A human-invented 16-character password like "JohnLovesSarah2019!" is attacked with dictionaries and patterns, not brute force, and can fall in minutes regardless of length.
Two Password Myths That Refuse to Die
Myth 1: Forced symbol-and-number rules make passwords strong
Composition rules were meant to enlarge the guessing space, but humans satisfy them in utterly predictable ways: capitalize the first letter, append "1!" at the end, swap a for @. Cracking tools have had these substitution patterns built in for two decades - "Tr0ub4dor&3" is barely harder to crack than "troubadour". Current NIST guidance tells sites to drop composition rules entirely and allow long passwords instead.
Myth 2: You should rotate passwords every 60 or 90 days
Scheduled rotation trains people to use "Winter2025", then "Spring2026" - transformations attackers try first. Both NIST and the UK's NCSC now advise against expiry on a timer. Rotate when there is an actual trigger: a breach notification, a shared password, or a suspicious login alert.
Need a Password Right Now?
Generate a truly random 8-64 character password in your browser - nothing is ever sent to a server
Open the Password Generator →Why Our Generator Uses crypto.getRandomValues, Not Math.random
Not all "random" is equal. JavaScript's Math.random() is a pseudo-random generator designed for animations and games - it is fast, but its output is predictable: researchers have reconstructed its internal state from a handful of observed values and predicted everything it produces next. A password built on it can, in principle, be reproduced by an attacker.
Our Password Generator instead uses crypto.getRandomValues(), the browser's cryptographically secure random source, which draws from operating-system entropy - the same mechanism used to generate encryption keys. It also avoids the subtle modulo-bias bug that makes some characters slightly more likely in naive generators, and shows you an entropy-based strength meter so you see the actual bits, not a vague color bar. Everything runs client-side: the password exists only on your screen.
The Passphrase Alternative (For Passwords You Must Type)
Random character strings are ideal for anything a password manager fills in for you. But for the handful of secrets you type by hand - your computer login, your password manager's master password, your WiFi - a random passphrase is the better trade: "maple-trumpet-orbit-glacier-noon" is far easier to type on a phone keyboard than "x9$Kp#mQ2v", yet five random words carry about 64 bits of entropy. The one rule: let dice or a generator pick the words. Phrases you compose yourself follow grammar and sentiment, and crackers exploit both.
One Password Per Site - Which Means a Manager
The most common real-world break-in is not brute force at all - it is credential stuffing: a password leaks from one breached site and is replayed against your email, bank, and shopping accounts. The only defense is a different password everywhere, and nobody memorizes 150 random strings. Use a password manager (the built-in managers in iOS, Android, and modern browsers are fine; dedicated apps like Bitwarden or 1Password add cross-device syncing and breach alerts). Then protect the manager itself with a strong passphrase and two-factor authentication.
Sharing a WiFi password with guests? Skip the typing entirely - encode it in a scannable code with our WiFi QR code guide.
Frequently Asked Questions
Is a 12-character password enough in 2026?▼
For most accounts, yes - a random 12-character password from a full 94-character set has about 78 bits of entropy, which is far beyond what offline cracking rigs can brute-force. The catch is the word "random": Summer2026!! is 12 characters but falls to a dictionary attack in seconds. If a generator produced it, 12 is fine; 16 adds a comfortable margin for high-value accounts like email and banking.
Should I change my passwords every 90 days?▼
No, not on a schedule. NIST guidance (SP 800-63B) explicitly recommends against forced periodic rotation because it pushes people toward predictable patterns like Password1, Password2. Change a password when there is a reason: the service was breached, you shared it, or you typed it on a device you do not trust.
Are passphrases like "correct horse battery staple" still secure?▼
Yes, if the words are chosen randomly. Four words picked at random from a large wordlist (such as the EFF list of 7,776 words) give about 51 bits of entropy; five words give about 64 bits, and six about 77 - comparable to a random 12-character password. A phrase you invented yourself ("ilovepizza123") is not random and does not count.
Is it safe to generate a password in my browser?▼
It is safe when the generation happens locally. Our password generator runs entirely client-side using the Web Crypto API - the password is created on your device, is never transmitted anywhere, and we could not see it even if we wanted to. You can load the page, go offline, and still generate passwords.
What matters more: a strong password or two-factor authentication?▼
They protect against different attacks, so use both. A strong unique password protects you when a site’s password database leaks; two-factor authentication protects you when the password itself is phished or guessed. For email, banking, and anything that can reset other accounts, enable 2FA on top of a generated password.
Generate a Password That Would Take Trillions of Years to Crack
Cryptographically secure, 8-64 characters, with a real entropy meter - free and entirely in your browser.
Generate a Strong Password →