Most people's mental model of a strong password is wrong. The instinct is to take a word, swap some letters for numbers, add a symbol at the end, and call it secure. P@ssw0rd1! feels strong because it ticks the boxes. It will fall in under a second to any modern attack.
This guide explains what actually makes a password secure, how attackers approach cracking them, and how to generate passwords that would genuinely take longer than the age of the universe to brute-force — using a free, fully client-side tool that never transmits your passwords anywhere.
The Lie Behind Password Strength Meters
Most password strength meters are theatrical. They reward you with a green bar for mixing character types without considering what attackers actually do.
Modern password cracking does not try random character combinations. It uses dictionaries — wordlists of millions of commonly used passwords, dictionary words, and known patterns — combined with rules that apply transformations: capitalise the first letter, append a year, replace a with @, add ! at the end. The attack tool tries the original word, then every rule-based variant, at billions of guesses per second using consumer-grade GPUs.
Tr0ub4dor&3 looks complex. It is a dictionary word with predictable substitutions and a memorable symbol. An attacker's rule set will find it. correct horse battery staple — four random common words — has more entropy and is considerably harder to crack, despite being entirely lowercase with no symbols.
The only genuine defence is entropy: mathematical unpredictability. And the only reliable way to get entropy is true randomness at sufficient length.
What Entropy Actually Means
Entropy in passwords is measured in bits. Each bit of entropy doubles the number of guesses required to crack the password.
- A password with 30 bits of entropy requires ~1 billion guesses
- A password with 60 bits requires ~1 quintillion guesses
- A password with 100 bits requires more guesses than there are atoms in the observable universe
At 10 billion guesses per second — a realistic rate for a modern GPU cracking cluster — a 100-bit password would take longer than the current age of the universe. A 60-bit password would take about 3.5 years. A 30-bit password falls in under two minutes.
The entropy of a password depends on two things: the size of the character set used and the length of the password. Length is far more important. Adding one character to a 20-character lowercase password adds more entropy than switching from lowercase to mixed case on a 10-character password.
The practical takeaway: Length beats complexity. A 20-character password using only lowercase letters is mathematically stronger than a 10-character password using every character type available.
The Three Types of Password Worth Knowing
1. Random high-entropy passwords (for password managers)
These look like DAcll/pr[fSMTWUTH978. Completely random, no pattern, maximum entropy per character. Impossible to memorise — which is fine, because you are not supposed to memorise them. These go into your password manager, which autofills them. You never need to type them manually.
This is the right format for every account you have: your email, social media, banking, shopping, SaaS subscriptions. Unique for every service. Generated fresh every time.
2. Passphrases (for things you need to type or remember)
A passphrase is a sequence of random words: correct-horse-battery-staple, velvet-mango-circuit-lamp, triangle-whisper-socket-raven. Four or five random words give you 50–70 bits of entropy — comparable to a complex 12-character random password — while being genuinely memorable.
Use passphrases for: your password manager master password, your device login, any account where you regularly type the password manually. The key word is random — you need to use a word list and a random selection process, not your own choice of "random" words, which will be predictably biased.
3. Context-aware passwords (for specific site rules)
Some sites have arbitrary rules: "at least one number, one symbol, maximum 16 characters, no spaces." These constraints reduce your entropy ceiling. A good generator adapts to the context — producing a password that satisfies the rules without sacrificing more entropy than necessary.
How to Generate Strong Passwords Free
PassLab is a free, open-source password generator that runs entirely in your browser. Your passwords are generated using the Web Crypto API (crypto.getRandomValues()) — the same cryptographically secure random number generator used by browsers for TLS key generation. Nothing is ever transmitted to a server.
What PassLab generates:
High-entropy random passwords — configurable length (6 to 64 characters), character sets (lowercase, uppercase, numbers, symbols), and options to exclude ambiguous characters (l, 1, O, 0) for passwords you might need to read aloud or type from a screen.
Passphrases — Diceware-style word selection from a curated list. You choose the number of words; the tool selects them truly randomly. The output has measurable entropy displayed alongside it so you know exactly what you are getting.
Strength checker — Paste any existing password and get its entropy in bits, an estimated time to crack at 10 billion guesses per second, and a plain-English verdict. This is genuinely more useful than a colour-coded meter because it shows the actual math.
Time-to-crack visualiser — For any generated password, the tool shows the crack time at realistic attack speeds. Seeing "effectively forever at 10 billion guesses/second" next to your new 20-character password is useful feedback.
QR code export — Generate a QR code from a password to scan it into a mobile device without typing. The QR renders client-side, never on a server.
Bulk generation — Generate up to 100 passwords at once and export as CSV. Useful for onboarding new team members, generating a batch of API keys, or setting up multiple accounts simultaneously.
Word-to-password transform — Takes any word and transforms it into a strong, mnemonic password using leet-speak rules and character substitutions. helen becomes H313n@92!. Useful for situations where you need to remember a password without a manager.
The Client-Side Guarantee
Most online password generators are risky in a specific way: they generate passwords on their servers and transmit them to your browser. If the connection is intercepted, or if the service logs requests, your passwords are exposed.
PassLab operates differently. Open the developer console in your browser while using it (F12 → Console), and you can watch exactly what network requests it makes. There are none for password generation. The entire generation happens locally. If you disconnect from the internet and reload the page, the generator still works.
The source code is open source, which means anyone can audit the implementation and verify that no hidden transmission is happening.
Where This Fits Into Your Privacy Setup
Passwords are one layer of your security posture — but they are the foundational one. A strong, unique password for every account means that a breach at one service cannot cascade into others.
The next layer is understanding what information your browser and network connection are already broadcasting to every website you visit. Your IP address, ISP, approximate location, browser version, operating system, screen resolution, and language settings are all visible before you even log in to anything. Check My Setup shows you the complete picture — the full fingerprint of information your connection reveals by default.
Understanding both sides of this — what you are actively exposing through weak credentials, and what is being passively collected from your connection — gives you a clearer view of your actual online exposure than most people ever think to look for.
A Practical Password Hygiene Checklist
| Action | Status |
|---|---|
| Use a password manager (Bitwarden, 1Password, Proton Pass) | ✓ Enables everything else |
| Unique password for every account | ✓ Stops credential stuffing |
| 16+ characters, randomly generated | ✓ Entropy, not complexity |
| Passphrase for master password | ✓ Memorable + strong |
| Two-factor authentication on email and banking | ✓ Backup when passwords fail |
| Check new passwords with a strength checker | ✓ Verify before committing |
FAQ
What makes a password actually strong in 2026?
Length and genuine randomness. A 16-character password built from a random mix of character types, generated by a cryptographically secure random number generator, provides around 100 bits of entropy — enough to be effectively uncrackable with any current or foreseeable hardware. Use PassLab to generate these; it uses crypto.getRandomValues() and runs entirely in your browser.
Is it safe to use an online password generator?
Only if the generation happens client-side, in your browser. Tools that send a request to a server to generate a password are exposing that password in transmission and potentially in server logs. PassLab generates everything locally — you can verify this by watching the network tab in your browser's developer tools while generating a password.
How long should a password be?
For accounts stored in a password manager: 20 characters minimum, randomly generated. For passwords you need to type manually: use a 4–5 word passphrase instead — longer effective entropy, easier to recall. The absolute minimum for any account worth protecting is 12 characters, randomly generated.
Should I use the same strong password on multiple sites?
Never. Password reuse is the primary driver of account takeover attacks. If any service you use is breached and its password database leaked — which happens to major companies regularly — every account using that password is now compromised. Unique passwords for every service is the non-negotiable rule.
What is the difference between a password generator and a password manager?
A generator creates the password. A manager stores and autofills it. You need both. Use PassLab or a similar generator to create high-entropy passwords, then store them in a password manager (Bitwarden is free and open-source; 1Password and Proton Pass are well-regarded paid options). The manager handles recall so you can use genuinely random passwords without memorising them.