Serious tools · EN

What actually makes a password strong

July 8, 2026·Stephan·±5 min read

Every password rule you've been forced to follow — one capital, one digit, one "special character" — optimises for the wrong thing. Attackers don't guess passwords the way forms validate them. What protects you is entropy: how many equally likely possibilities an attacker has to try. And entropy comes overwhelmingly from one place: length combined with true randomness.

How do passwords actually get cracked?

Mostly not by "guessing" at a login form. The realistic threats are:

  • Reuse. A site you used in 2019 gets breached; the email+password combo is tried everywhere else ("credential stuffing"). This is the #1 practical risk and no amount of cleverness fixes it — only uniqueness does.
  • Offline cracking. A breached database of password hashes is attacked with billions of guesses per second, starting with dictionaries, common patterns, and every previously leaked password.
  • Phishing. You type the real password into a fake page. Strength is irrelevant; only passkeys or hardware keys fully solve this.

Why "Tr0ub4dor&3" is weak and four random words are strong

The famous XKCD 936 comparison holds up. "Tr0ub4dor&3" is a dictionary word with predictable substitutions — cracking tools try exactly those mutations first. Its real-world entropy is roughly 28 bits. Four words picked truly at random from a 7,776-word list (correct horse battery staple style) give 4 × 12.9 ≈ 51.7 bits — about eight million times more work for the attacker, while being easier to remember.

The catch: the words must come from a random generator. Humans picking "random" words pick their dog, their street and their football club.

How long is long enough?

PasswordEntropyVerdict
8 chars, human-made< 30 bitsfalls in minutes offline
12 random chars (letters+digits+symbols)≈ 78 bitsfine
16 random chars≈ 104 bitsfine for decades
4 random diceware words≈ 52 bitsgood for things you must type
6 random diceware words≈ 78 bitsexcellent master password

The actual best practice, in three lines

  1. Use a password manager; let it generate a unique 16+ character random password per site.
  2. Protect the manager itself with a long random passphrase and two-factor authentication.
  3. Where a site offers passkeys, use them — they can't be phished, reused or leaked in a usable form.

What about the steefware Password Generator?

The Password Generator creates random passwords using your browser's cryptographic random number generator (crypto.getRandomValues), entirely on your device. Nothing is sent to any server — there is no server. It's a handy escape hatch when you need a strong secret on a machine without your password manager.

Password Generator

Open the tool →

Strong random passwords, generated locally in your browser.