Serious tools · EN
What actually makes a password strong
Every password rule you've been forced to follow — one capital, one digit, one "special character" — optimises for the wrong thing. Attackers don't guess passwords the way forms validate them. What protects you is entropy: how many equally likely possibilities an attacker has to try. And entropy comes overwhelmingly from one place: length combined with true randomness.
How do passwords actually get cracked?
Mostly not by "guessing" at a login form. The realistic threats are:
- Reuse. A site you used in 2019 gets breached; the email+password combo is tried everywhere else ("credential stuffing"). This is the #1 practical risk and no amount of cleverness fixes it — only uniqueness does.
- Offline cracking. A breached database of password hashes is attacked with billions of guesses per second, starting with dictionaries, common patterns, and every previously leaked password.
- Phishing. You type the real password into a fake page. Strength is irrelevant; only passkeys or hardware keys fully solve this.
Why "Tr0ub4dor&3" is weak and four random words are strong
The famous XKCD 936 comparison holds up. "Tr0ub4dor&3" is a
dictionary word with predictable substitutions — cracking tools
try exactly those mutations first. Its real-world entropy is
roughly 28 bits. Four words picked truly at random from
a 7,776-word list (correct horse battery staple
style) give 4 × 12.9 ≈ 51.7 bits — about eight
million times more work for the attacker, while being easier to
remember.
The catch: the words must come from a random generator. Humans picking "random" words pick their dog, their street and their football club.
How long is long enough?
| Password | Entropy | Verdict |
|---|---|---|
| 8 chars, human-made | < 30 bits | falls in minutes offline |
| 12 random chars (letters+digits+symbols) | ≈ 78 bits | fine |
| 16 random chars | ≈ 104 bits | fine for decades |
| 4 random diceware words | ≈ 52 bits | good for things you must type |
| 6 random diceware words | ≈ 78 bits | excellent master password |
The actual best practice, in three lines
- Use a password manager; let it generate a unique 16+ character random password per site.
- Protect the manager itself with a long random passphrase and two-factor authentication.
- Where a site offers passkeys, use them — they can't be phished, reused or leaked in a usable form.
What about the steefware Password Generator?
The Password Generator creates
random passwords using your browser's cryptographic random
number generator (crypto.getRandomValues), entirely
on your device. Nothing is sent to any server — there is no
server. It's a handy escape hatch when you need a strong secret
on a machine without your password manager.
Password Generator
Open the tool →Strong random passwords, generated locally in your browser.