PureTools

Password Generator: How to Create Truly Strong Passwords

PureTools Team· 8 min read
Password Generator: How to Create Truly Strong Passwords

Password Strength: The Math

"Use uppercase, lowercase, numbers, and symbols" — we've all heard this advice. But is P@ssw0rd! really stronger than correct horse battery staple? Let's do the math.

Entropy: Measuring Password Strength

Password strength is measured in bits of entropy. The formula:

entropy = log2(pool_size ^ length)

Where pool_size is the number of possible characters:

Character setPool size
Lowercase only26
+ Uppercase52
+ Digits62
+ Symbols~95

An 8-character password with all character types: log2(95^8) = 52.6 bits.

A 16-character lowercase-only password: log2(26^16) = 75.2 bits.

The longer, simpler password is dramatically stronger. Length wins.

How Long Does It Take to Crack?

At 10 billion guesses/second (modern GPU cluster):

  • 52 bits: ~7 minutes
  • 64 bits: ~58 years
  • 75 bits: ~1.2 million years
  • 128 bits: heat death of the universe

Passphrase vs Random Characters

correct horse battery staple uses 4 common English words from a ~7,776 word list (Diceware). That's log2(7776^4) = 51.7 bits. Decent, but not great.

5 Diceware words: 64.6 bits. 6 words: 77.5 bits. Use at least 5.

Random characters are more entropy-dense per character, but passphrases are more memorable. The best password is the one you don't have to write down.

What Makes a Good Password Generator?

  1. Cryptographically secure randomness: crypto.getRandomValues(), not Math.random()
  2. Configurable length: default 16+
  3. Character set options: some systems don't accept symbols
  4. No pattern bias: truly random distribution
function generatePassword(length = 20, charset = 'a-zA-Z0-9!@#$%') {
  const chars = charset.replace(/a-z/g, 'abcdefghijklmnopqrstuvwxyz')
    .replace(/A-Z/g, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')
    .replace(/0-9/g, '0123456789');
  const array = new Uint8Array(length);
  crypto.getRandomValues(array);
  return Array.from(array, b => chars[b % chars.length]).join('');
}

The Real Advice

  1. Use a password manager (Bitwarden, 1Password)
  2. Generate 20+ character random passwords for everything
  3. Use a strong passphrase for the master password
  4. Enable 2FA everywhere

Generate now: Password Generator — cryptographically secure, configurable length and character sets.

Back to blog