DevGizmo
Back to Blog
cryptography·

How to Generate a Strong Password: Entropy, Character Sets, and Security

Strong passwords are the first line of defence against account compromise. Learn what makes a password strong, how to calculate password entropy, and the best practices for generating and managing passwords in 2026.

passwordssecurityentropyauthentication

What Makes a Password "Strong"?

A password's strength is best measured by its entropy — the number of bits of randomness. A password with higher entropy takes exponentially longer to crack by brute force.

The formula for password entropy:

H = L × log₂(N)

Where:

  • H = entropy in bits
  • L = length of the password
  • N = size of the character set

For example, a 12-character password using lowercase letters only (26 characters):

H = 12 × log₂(26) = 12 × 4.70 ≈ 56.5 bits

The same length using all printable ASCII characters (95 characters):

H = 12 × log₂(95) = 12 × 6.57 ≈ 78.8 bits

More bits = more secure. Aim for at least 80 bits of entropy for standard accounts and 128+ bits for high-security use.

Character Sets by Entropy Contribution

Character setSize (N)Bits per character
Lowercase only (a–z)264.70
Lowercase + digits365.17
Mixed case (a–z, A–Z)525.70
Mixed case + digits625.95
All printable ASCII956.57

Adding uppercase, digits, and symbols adds about 2 bits of entropy per character compared to lowercase-only. Length matters more than complexity — a 20-character lowercase password has more entropy than a 10-character mixed-case-with-symbols password.

How Long Does It Take to Crack?

Cracking time depends on:

  • The attacker's hardware (GPUs can compute billions of hashes per second)
  • The hashing algorithm used to store the password
  • Whether the attacker is online (throttled) or offline (full speed on a stolen hash)

An offline attack on a fast hash (SHA-256, unsalted MD5):

  • A consumer GPU (RTX 4090) can compute ~22 billion SHA-256 hashes per second
  • An 8-character alphanumeric password (N=62, L=8) has 62^8 ≈ 218 trillion combinations
  • Cracking time: ~218e12 / 22e9 ≈ ~2.7 hours for a full brute-force

With a slow hash like bcrypt (cost factor 12, ~100ms/hash):

  • The same attack would take ~700 million years

Lesson: Use slow hashing algorithms server-side. Even a weak password is safer behind bcrypt.

Password Generation in JavaScript

Use the cryptographically secure crypto.getRandomValues() — never Math.random() for security-sensitive generation:

function generatePassword(length, charset) {
  const values = new Uint32Array(length);
  crypto.getRandomValues(values);
  return Array.from(values)
    .map((v) => charset[v % charset.length])
    .join("");
}

const CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";

const password = generatePassword(20, CHARSET);

Note: v % charset.length introduces a tiny modulo bias when 2^32 is not evenly divisible by charset.length. For most charsets this bias is negligible, but rejection sampling eliminates it entirely:

function generatePasswordUnbiased(length, charset) {
  const result = [];
  const maxValid = Math.floor(2 ** 32 / charset.length) * charset.length;
  while (result.length < length) {
    const [v] = crypto.getRandomValues(new Uint32Array(1));
    if (v < maxValid) result.push(charset[v % charset.length]);
  }
  return result.join("");
}

Passphrases: Long and Memorable

A random sequence of common words (a passphrase) can provide excellent entropy while remaining memorable. The EFF's large word list has 7,776 words. Choosing 6 random words:

H = 6 × log₂(7776) = 6 × 12.92 = 77.5 bits

"correct-horse-battery-staple" style passphrases are both strong and memorable — but only if the words are truly chosen at random, not selected by the user.

Password Manager Best Practices

Use a password manager (1Password, Bitwarden, KeePass) to:

  • Generate and store a unique, high-entropy password per site
  • Never reuse passwords across accounts
  • Enable two-factor authentication (2FA) as a second layer

Password reuse is the most common cause of account takeovers — an attacker who obtains passwords from a data breach of site A tries them on site B. With unique passwords per site, this attack is contained.

What to Avoid

  • Sequential patterns: 123456, abcdef, qwerty
  • Personal information: names, birthdays, addresses
  • Dictionary words (alone): even complex-looking words are in wordlists used by crackers
  • Keyboard walks: qwerty, zxcvbn
  • Predictable substitutions: p@ssw0rd is well-known to crackers

Try it yourself

Put these concepts into practice with the free online tool on DevGizmo.