Secure Password Generation: Entropy, Strength, and Best Practices
Understand password entropy, what makes a password truly strong, how attackers crack passwords, and best practices for password management.
Secure Password Generation: Entropy, Strength, and Best Practices
"Use a strong password." You've read this advice a thousand times. But what does strong actually mean, quantitatively? And why do some passwords that look complex get cracked in minutes while long passphrases resist attacks for centuries?
What Is Password Entropy?
Password entropy measures the unpredictability of a password in bits. Higher entropy means more possible combinations an attacker must try:
Entropy (bits) = log₂(charset_size ^ password_length)
= password_length × log₂(charset_size)
| Charset | Size | Example Characters |
|---|---|---|
| Lowercase only | 26 | a–z |
| Lower + upper | 52 | a–z, A–Z |
| Alphanumeric | 62 | a–z, A–Z, 0–9 |
| Full printable ASCII | 95 | All printable characters |
Entropy Examples
"password" : 8 chars × log₂(26) = 8 × 4.70 = 37.6 bits
"P@ssw0rd1!" : 10 chars × log₂(72) = 10 × 6.17 = 61.7 bits
"correct-horse-battery-staple" : 28 chars × log₂(26) = 131.7 bits
Random 16-char full ASCII : 16 × log₂(95) = 16 × 6.57 = 105.1 bits
The passphrase wins. Length beats complexity.
How Attackers Crack Passwords
Understanding the attack methods clarifies what "strong" actually means:
Brute Force
Try every possible combination. At 10 billion guesses per second (modern GPU):
| Entropy | Time to Crack |
|---|---|
| 40 bits | 0.05 seconds |
| 60 bits | 33 hours |
| 80 bits | 38 years |
| 100 bits | 40 million years |
| 128 bits | Heat death of universe territory |
Target: at least 80 bits of entropy for sensitive accounts.
Dictionary Attacks
Attackers don't try random combinations — they try common words, names, and known passwords first. The RockYou breach exposed 14 million passwords; these are the first 14 million guesses in any modern dictionary attack.
"P@ssw0rd" is not strong. It's in every dictionary list.
Rule-Based Attacks
Password cracking tools like Hashcat apply transformation rules to dictionary words: add a number, capitalize the first letter, replace 'a' with '@'. "P@ssw0rd1!" is cracked faster by rule-based attacks than a shorter truly random password.
Credential Stuffing
Leaked username/password pairs from one breach are tried against other services. Password reuse is more dangerous than a weak password — it turns one compromise into many.
What Makes a Password Actually Strong
Length over complexity: A 20-character lowercase passphrase beats an 8-character "complex" password in entropy.
True randomness: Human-chosen passwords are not random. We gravitate toward dictionary words, dates, keyboard patterns, and replacements ('3' for 'e'). Use a cryptographically secure random generator.
No reuse: Every account gets a unique password. Full stop.
No personal information: Birthdays, pet names, and address components are in every targeted attack's dictionary.
Diceware Passphrases
Diceware generates passphrases from a 7,776-word wordlist using five dice rolls per word. Each word contributes 12.9 bits of entropy:
Five-word passphrase: 5 × 12.9 = 64.6 bits
Six-word passphrase: 6 × 12.9 = 77.5 bits
A six-word diceware passphrase is memorable and exceeds common security requirements.
Password Manager Best Practices
The only practical way to have unique, high-entropy passwords for every account:
- Use a password manager (Bitwarden, 1Password, KeePass).
- Generate random 20+ character passwords for every site.
- Only memorize your master password and use Diceware for it.
- Enable 2FA on your password manager account.
The master password is the only one that needs to be memorized — make it a 6-word diceware phrase with 77+ bits of entropy.
Why "Password Policies" Often Backfire
Mandatory complexity rules (must include uppercase, number, special character) reduce the effective search space by making user behavior predictable. Users reliably produce "Password1!" or "Summer2024!". Minimum length requirements with no complexity mandates produce better results.
NIST SP 800-63B explicitly recommends against mandatory complexity rules and periodic rotation for user-chosen passwords.
Generate Strong Passwords Instantly
The Password Generator on InfraHub generates cryptographically secure passwords using crypto.getRandomValues() — the same API used by your operating system's secure random source. Configure length, character set, and passphrase options. All generation happens in your browser; no passwords are transmitted or logged anywhere.
For daily use, generate passwords for new accounts directly in your browser and paste them into your password manager.