How to Create Strong Passwords: A Complete Guide to Password Security in 2025
In 2024 alone, over 1.5 billion credentials were exposed in data breaches. The most common passwords found in those dumps? "123456," "password," "qwerty123," and "iloveyou." If any of those look familiar, you're not alone — but you are at serious risk.
Password security isn't glamorous, but it's the single most impactful thing you can do to protect yourself online. This guide covers what actually makes a password strong, why the old rules about complexity are wrong, how password generators work under the hood, and what to do when (not if) your credentials appear in a breach.
The Current State of Password Breaches
Let's start with the numbers that should make you take this seriously:
- The RockYou2024 compilation contained 9.9 billion unique passwords — the largest credential dump in history
- The average person reuses passwords across 5-7 different sites
- A password like "Tr0ub4dor&3" (8 characters, mixed case, numbers, symbols) can be brute-forced in under 8 hours with modern GPUs
- 81% of data breaches involve stolen or weak credentials (Verizon DBIR)
- Credential stuffing attacks (using leaked email/password combos on other sites) succeed 0.1-2% of the time — which, at millions of attempts per hour, means thousands of compromised accounts daily
The uncomfortable truth is that if you use the same password on multiple sites, a breach at one site compromises all of them. Attackers don't need to hack your bank — they just need to find your email and password from a breached gaming forum and try it on your bank's login page.
Why Length Beats Complexity
For decades, the standard advice was: use at least 8 characters with a mix of uppercase, lowercase, numbers, and symbols. This produced passwords like "P@ssw0rd!" that are hard for humans to remember but surprisingly easy for computers to crack.
The reason is entropy — a measure of how unpredictable a password is. Entropy is measured in bits, and each bit doubles the number of possible combinations an attacker must try.
| Password | Length | Entropy (bits) | Time to Crack |
|---|---|---|---|
| password | 8 | ~0 (dictionary word) | Instant |
| P@ssw0rd! | 9 | ~28 (predictable substitutions) | Minutes |
| Tr0ub4dor&3 | 11 | ~28 | Hours |
| correct horse battery staple | 28 | ~44 | Centuries |
| kX9#mP2$vL7@nQ4& | 16 | ~105 | Trillions of years |
The key insight: a longer password with a simpler character set is usually stronger than a shorter password with complex characters. "correct horse battery staple" (4 random words) has roughly 44 bits of entropy and is easy to remember. "Tr0ub4dor&3" has about the same entropy but is much harder to recall.
The formula for password entropy is:
Entropy = log₂(pool_size ^ length)
= length × log₂(pool_size)
Pool sizes:
Lowercase only (a-z): 26 → 4.7 bits/char
Lower + upper (a-zA-Z): 52 → 5.7 bits/char
Alphanumeric (a-zA-Z0-9): 62 → 5.95 bits/char
All printable ASCII: 95 → 6.57 bits/char
A 16-character password using all printable ASCII characters has 16 × 6.57 = ~105 bits of entropy. Current technology cannot brute-force anything above ~80 bits in a reasonable timeframe. At 105 bits, even a billion-GPU cluster running for the age of the universe wouldn't get through the combinations.
The Passphrase Method
If you need to create a password you'll actually remember (for your master password or device login), the passphrase method is your best option. Pick 4-6 random words from a large dictionary:
blanket mercury ocean fourteen
kite formula copper lantern nine
umbrella salmon voltage pyramid
The critical requirement is that the words must be randomly selected — not words you chose because they're meaningful to you. A truly random 4-word passphrase from a 7,776-word list (like the EFF Diceware list) provides about 51 bits of entropy. A 5-word passphrase provides ~64 bits. A 6-word passphrase provides ~77 bits.
You can strengthen passphrases further by adding a number or symbol between words, capitalizing a random word, or including one uncommon word.
Why You Should Never Reuse Passwords
Password reuse is the #1 security vulnerability for most people. Here's how it goes wrong:
- You use the same email and password on a small forum and your email account
- The forum gets breached (small sites have weaker security)
- Attackers try your credentials on Gmail, Outlook, Yahoo, and major banks
- Your email is compromised, which lets them reset passwords on every other site
- Within hours, they've locked you out of your email, social media, and financial accounts
This attack — credential stuffing — is automated and happens at massive scale. The only defense is to use a unique password for every site. With a password manager, this is practical. Without one, it's nearly impossible.
Password Managers: The Practical Solution
A password manager stores all your passwords in an encrypted vault protected by a single master password. You only need to remember one strong password — the manager handles the rest.
The key benefits:
- Unique passwords everywhere. The manager generates and stores a different random password for each site.
- Autofill. No more typing passwords — the manager fills them in automatically.
- Phishing protection. A password manager won't autofill your bank password on a fake bank site because the URL doesn't match.
- Breach alerts. Most managers notify you if any of your stored credentials appear in known breaches.
Popular options include Bitwarden (free and open-source), 1Password, and KeePass (offline-only). Even your browser's built-in password manager is better than reusing passwords.
Two-Factor Authentication (2FA): Your Second Line of Defense
Even the strongest password can be compromised through phishing, keyloggers, or server breaches. Two-factor authentication adds a second requirement — something you have (a phone or security key) in addition to something you know (your password).
Types of 2FA, ranked by security:
- Hardware security keys (YubiKey, Google Titan) — most secure, phishing-resistant
- Authenticator apps (Google Authenticator, Authy) — very good, generates time-based codes
- SMS codes — better than nothing, but vulnerable to SIM swapping attacks
- Email codes — weakest option (if someone has your email, they have both factors)
Enable 2FA on every account that supports it, starting with your email account (since email is the gateway to resetting all other passwords).
How Password Generators Work: CSPRNG vs. Math.random
When you use our Password Generator, it needs to produce random characters. But not all randomness is equal.
Math.random() in JavaScript uses a pseudo-random number generator (PRNG) that is seeded from the system clock. It produces numbers that look random but are deterministic — if an attacker knows the seed, they can predict every "random" number. This is fine for shuffling a playlist but completely unsuitable for generating passwords.
crypto.getRandomValues() uses a cryptographically secure pseudo-random number generator (CSPRNG) provided by your operating system. It draws entropy from hardware sources — mouse movements, disk timing, network packet timing, CPU temperature fluctuations — making it unpredictable even to an attacker who knows the algorithm.
// INSECURE — Do not use for passwords
const char = charset[Math.floor(Math.random() * charset.length)];
// SECURE — Uses CSPRNG
const array = new Uint32Array(1);
crypto.getRandomValues(array);
const char = charset[array[0] % charset.length];
Our password generator uses crypto.getRandomValues() exclusively, and since it runs in your browser, the generated password is never transmitted over the network. You can verify this in the source code or by monitoring network traffic.
What to Do If Your Password Is Breached
If you discover your credentials have been leaked (through a notification from a service, a password manager alert, or by checking haveibeenpwned.com), take these steps immediately:
- Change the password on the breached site immediately. Use a new, unique password generated by a password manager.
- Change the password everywhere you reused it. If you used the same password on other sites, change all of them. This is the most important step.
- Enable 2FA on the affected accounts if you haven't already.
- Check for unauthorized access. Review login history, connected apps, and recent activity on the compromised accounts.
- Monitor your email for password reset requests you didn't initiate — this may indicate an attacker is trying to access your other accounts.
- Consider a credit freeze if financial information was involved.
Frequently Asked Questions
How long should my passwords be?
At minimum, 12 characters for random passwords or 4 words for passphrases. For high-security accounts (email, banking, password manager master password), use 16+ characters or 5-6 word passphrases. Longer is always better — there's no performance penalty for a 20-character password, and the security improvement is exponential.
Is it safe to write down passwords?
A written password in a secure physical location (a locked drawer, not a sticky note on your monitor) is actually safer than reusing the same digital password across multiple sites. The threat model is different: a written password is vulnerable to physical theft but immune to online attacks. For most people, a password manager is the better solution, but writing passwords down is far better than reusing them.
Should I change passwords regularly?
The old advice of changing passwords every 90 days has been abandoned by NIST (the US National Institute of Standards and Technology). Forced password rotation leads to predictable patterns (Password1, Password2, Password3) and doesn't improve security. Change passwords only when you have reason to believe they've been compromised, or when a service you use reports a breach.
Are passkeys replacing passwords?
Passkeys (FIDO2/WebAuthn) are a passwordless authentication standard that uses public-key cryptography tied to your device. They're more secure than passwords and resistant to phishing. Major platforms (Google, Apple, Microsoft) now support them. However, adoption is still growing, and passwords will remain necessary for many sites for years to come. Use passkeys where available, and strong unique passwords everywhere else.