How to Create a Strong Password (and Why Length Beats Complexity)
2026-06-03 · 5 min read
A long passphrase beats a short jumble of symbols. Here is the maths behind password strength — and how to get it right.
Most password advice fixates on adding symbols and numbers. But the single biggest factor in how hard a password is to crack is its length. Understanding why changes how you create them.
Entropy: the real measure
Password strength is measured in bits of entropy — essentially how many guesses an attacker needs. Each additional character multiplies the possibilities, so length adds entropy exponentially, while swapping a letter for a symbol adds only a little.
Length beats complexity
A 16-character password drawn from lowercase letters alone has more entropy than an 8-character password using every symbol on the keyboard. Longer is stronger, and longer is also easier to remember if you use a passphrase.
Rules that actually help
- Use at least 16 characters where the site allows it.
- Make every password unique — reuse is what turns one breach into many.
- Avoid names, dates, and dictionary words an attacker can guess.
- Never rely on Math.random() in code — use a cryptographic random source.
Use a password manager so you never have to remember or reuse passwords. Then your only job is generating long, random, unique ones.
Generate one safely
The Password Generator uses crypto.getRandomValues() — never Math.random() — and shows entropy in bits so you can see your password is genuinely strong. Everything happens in your browser.