How to Generate a Strong Password (And Why You Don't Need to Remember It)
What makes a password truly secure, how entropy works, why 'P@ssw0rd' is weaker than 'correct-horse-battery-staple', and how to use Stax's browser-based password generator and strength checker without your passwords ever leaving your device.
Most people approach passwords the wrong way — adding a capital letter and a number because some website required it, then using the same method for every account. This guide answers the questions that actually matter: what makes a password strong, how a random generator works, what the strength checker is actually measuring, and how long it takes an attacker to crack passwords of different types. By the end, you'll understand why the Stax Password Generator produces the output it does — and why running it in your browser without uploading anything is the only approach that makes sense for a security tool.
Why does password strength even matter now? Aren't sites hashed?
Yes, reputable sites store password hashes (bcrypt, scrypt, Argon2), not plaintext passwords. But breaches still happen, and when they do, attackers get the hashed database. They then run offline cracking — feeding billions of candidate passwords through the same hash algorithm and comparing outputs.
The speed depends on the hash algorithm. SHA-1 (used by some older sites): up to 10 billion guesses per second on a consumer GPU. bcrypt with cost factor 12: around 200 guesses per second on the same hardware. This is why the hash algorithm matters — and why the password has to be strong enough to resist even slow offline cracking.
Two other scenarios where password strength matters even more:
Credential stuffing: When a breach from Site A exposes your password (hashed or not), attackers try the same email+password combination at hundreds of other sites automatically. If you reuse passwords, one breach propagates across your entire digital life.
Brute force on rate-unlimited services: Some services — older routers, VPN portals, certain enterprise software — don't throttle login attempts. Against these, an attacker can try millions of combinations per minute directly.
What is password entropy, and why does it determine strength?
Entropy is the measure of unpredictability — specifically, how many guesses an attacker needs to try before hitting on the correct password. It's measured in bits.
The formula: Entropy = log₂(Cˢ), where C is the character set size and S is the password length.
- Lowercase only (26 chars), 8 characters: log₂(26⁸) ≈ 37.6 bits
- Lowercase + uppercase + digits (62 chars), 8 characters: log₂(62⁸) ≈ 47.6 bits
- Full printable ASCII (95 chars), 8 characters: log₂(95⁸) ≈ 52.6 bits
- Full printable ASCII, 16 characters: ≈ 105 bits
- Full printable ASCII, 24 characters: ≈ 157 bits
Every additional bit of entropy doubles the search space. The jump from 8 to 16 characters (if the character set stays the same) adds 52.6 bits — the equivalent of squaring the number of guesses required.
The key insight: length beats complexity. A 16-character lowercase-only password has more entropy (84.5 bits) than a 10-character mixed-case-plus-symbols password (65.8 bits). This is why "correcthorsebatterystaple" (a concept from xkcd #936) is cryptographically stronger than "P@ssw0rd1!" despite looking simpler.
What does a truly random password generator actually do?
Randomness is the core requirement. A password generator that uses a predictable algorithm — even one that looks random — is not cryptographically secure.
The Stax Password Generator uses window.crypto.getRandomValues(), the Web Cryptography API built into every modern browser. This is the same entropy source used in cryptographic applications. It pulls randomness from OS-level sources (hardware events, hardware RNG if available) and is unpredictable even to the browser itself.
What it does not do:
- Send your generated passwords to a server (there is no server involved)
- Log or cache the output
- Use
Math.random(), which is pseudorandom and unsuitable for security purposes
When you generate a password, the calculation happens entirely inside your browser's JavaScript engine using the crypto API. The output is shown on screen, and once you navigate away, it is gone — there is no storage, no transmission, no account required.
Character sets you can choose from:
- Lowercase letters (a–z): 26 characters
- Uppercase letters (A–Z): 26 characters
- Digits (0–9): 10 characters
- Symbols (!@#$%^&*...): ~32 characters (varies by inclusion)
For most use cases — a password manager entry for a website — 16 characters with all four character sets gives you approximately 105 bits of entropy. That is computationally infeasible to crack even with nation-state resources.
How does the password strength checker measure strength?
The Password Strength Checker measures two things: raw entropy and pattern recognition.
Raw entropy is calculated from the actual character set present in the password and its length — the formula described above. A 12-character password using only lowercase gets one score; the same 12 characters drawn from all four sets gets a higher score.
Pattern recognition is the more important part. Password crackers don't just brute-force every possible combination — they start with:
- Dictionary words (English, multi-language)
- Common substitutions (a→@, o→0, e→3, i→1)
- Known leaked passwords (billions from previous data breaches)
- Common patterns (word + year, word + number + symbol at end)
"Password2024!" has decent raw entropy — it's 13 characters with mixed case and symbols. But its effective entropy is near zero because it matches patterns that crackers try in the first few minutes. The strength checker identifies these patterns and penalises them.
The result: a password like qL#8mZx2!kTp (12 random characters) is dramatically stronger than Monday@2024! (12 characters with a common pattern) despite having the same length and character class.
What length should I use for different situations?
Not all contexts need the same level of protection. Here's a practical framework:
| Context | Recommended Length | Character Sets | Notes |
|---|---|---|---|
| Password manager master password | 24+ characters | All four sets | This protects everything else — make it a memorisable passphrase, not randome.g., four random words + numbers: "copper-anvil-zebra-7814" |
| Email account | 20 characters | All four sets | Email is used for password resets — if compromised, everything else fallsStore in password manager; never reuse |
| Banking / financial | 16–20 characters | All four sets | Most banks cap at 20–32 chars; check the site's limit first |
| Social media | 16 characters | All four sets | High-value target for account takeover; use unique password per platform |
| Low-risk sites (forums, newsletters) | 12 characters | Letters + digits | Some older sites don't accept symbols; still keep unique per site |
| WiFi password (shared with guests) | 12 characters | Letters + digits only | Avoid symbols — they're hard to type on mobile keyboardsUse the QR Code Generator to share WiFi without revealing the password |
| Device PIN / pattern | 6-digit minimum; prefer alphanumeric | Alphanumeric | Throttled by the device's hardware — a 6-digit PIN with rate limiting is adequate; 8+ is better |
Why does "one unique password per site" matter more than length?
This is the most impactful security habit and the most commonly skipped one.
When a data breach exposes your credentials from Site A, you typically don't know for days, weeks, or months. During that window, automated tools test the leaked email+password combination against hundreds of other services — banking, email, social media, cloud storage. This is called credential stuffing.
In 2024, the largest known password database (known as RockYou2024) contained 10 billion unique plaintext passwords from breaches. Attackers cross-reference these against active account holders at major platforms.
The only defence is site-specific passwords: every site gets a different, randomly generated password. When Site A is breached, the exposed password is useless everywhere else.
Generating and storing 50–200 unique passwords is clearly not manageable by memory — which is why the answer is a password manager.
Should I use a browser-based generator if I'm worried about security?
The concern is legitimate: if a password generator sends your output to a server, the server operator has your password. This is why running the generator locally is not optional — it is the only correct architecture for a security tool.
The Stax generator runs entirely in your browser via JavaScript + the Web Crypto API. You can verify this: open browser developer tools (F12), go to the Network tab, and watch for any outgoing requests when you click "Generate." There are none.
Contrast this with web-based generators that operate on a server (even if they claim they don't store data — you have no way to verify). The architecture itself is the security guarantee. Client-side = no server = no interception point.
Similarly, the Password Strength Checker analyses your password locally. You can safely paste your actual passwords into it for strength assessment without the text ever leaving your browser.
Common password mistakes and how to avoid them
Using personal information: Birthdates, pet names, favourite teams, and significant years are all easily guessable — either by people who know you, or by attackers who correlate your social media. Randomly generated passwords eliminate this category entirely.
The predictable substitution: P@ssw0rd is not a strong password. Every common substitution (a→@, s→$, e→3) is in every cracker's ruleset. The strength checker flags these, but the real fix is to stop using words as the base.
Appending the year when forced to change: MyPassword2023, MyPassword2024, MyPassword2025 — this is trivially predictable. Forced password rotation without strong guidance produces this pattern repeatedly. When you're required to change a password, generate a completely new random one.
Short passwords with maximum complexity: A#8! has all four character sets. It has approximately 26 bits of entropy. Any 8-character random password is crackable; any site accepting passwords under 10 characters is not enforcing adequate security.
The main account / throwaway account split: Many people use their strongest password for Gmail and a consistent weak password for "unimportant" sites. The problem: "unimportant" sites often share a login with social media (OAuth), and their breach can cascade to connected accounts. Use unique generated passwords everywhere.
Generate your passwords and check your current ones
The Password Generator lets you select length, character sets, and generate in a single click. The generated password is shown in a copyable field — click to copy, navigate away, and it's gone from our end.
The Password Strength Checker accepts any password and shows: estimated entropy in bits, character class analysis, pattern detection (dictionary words, substitutions, common sequences), and an estimated time-to-crack under three attack scenarios (online throttled, offline bcrypt, offline MD5).
Both tools run entirely in your browser — no data leaves your device.
My Take
The "memorable vs secure" trade-off is mostly a false dilemma created by bad password practices. You're not supposed to remember every password — that's what password managers exist for. The only password worth optimising for memorability is your password manager's master password, and the right approach there is a 4–6 word passphrase (random, not meaningful). For everything else: generate 20 random characters, copy to your password manager, and never think about it again. The infrastructure exists; the main barrier is the setup cost, which is a one-afternoon job to migrate existing accounts. The Stax generator handles the generation part — the password manager choice (1Password, Bitwarden, Dashlane, Apple Passwords, Google Password Manager) is yours.
Sources & methodology
Entropy formula: Claude Shannon's information entropy applied to password spaces. Reference: NIST Special Publication 800-63B, Section 5.1, Memorised Secret Authenticators — NIST SP 800-63B.
Cracking speed estimates: Based on published benchmarks from Hashcat (open-source password recovery tool) on consumer GPU (RTX 4090). bcrypt cost-12: ~200 H/s. MD5: ~60 billion H/s. SHA-1: ~10 billion H/s. Numbers vary significantly by hardware.
Web Crypto API: MDN Web Docs — Crypto.getRandomValues(), confirming CSPRNG behaviour and OS entropy source.
RockYou2024 reference: Reported by Cybernews in July 2024 — a 10-billion-record compilation of plaintext passwords from multiple breach databases. Context for credential stuffing risk.
xkcd #936 — "correct horse battery staple": Randall Munroe's 2011 comic on passphrase entropy, which correctly identified that length-based passphrases can exceed complexity-based passwords in entropy. The underlying entropy calculation remains accurate.
NIST password guidance: NIST SP 800-63B (2020 revision) recommends against mandatory periodic password changes, complexity requirements that lead to predictable patterns, and password hints — all of which reduce real-world security.
The bottom line
Password strength comes down to two things: entropy (length × character set size) and uniqueness per site. A 20-character randomly generated password is infeasible to crack regardless of which site's hash algorithm is used. The browser-based generator at Stax uses a cryptographically secure random source and never transmits your output. The strength checker tells you, concretely, what an attacker faces when targeting your current passwords. Both run offline.
→ Generate a secure password now — cryptographically random, browser-only, no signup.
Harshil
Developer & Founder, stax.tools
Harshil is the developer behind stax.tools, building privacy-first tools that run entirely in your browser.
More by Harshil →Found this useful?
Browse 235+ free privacy-first tools — no login, no uploads, instant results.