How long should a strong password be?

A minimum of 16 characters for standard accounts such as email, banking, and social media. Use 20 or more characters for high-value accounts. For master passwords — the password that protects your password manager vault or disk encryption — use a 6-word passphrase or a 32+ character random string. Length is the single most important factor in password strength: each additional character multiplies the brute-force search space exponentially.

What is the difference between a password generator and a password manager?

A password generator creates strong random passwords on demand. A password manager stores, organizes, and auto-fills those passwords across your devices and browsers. They are complementary tools: use a password generator to create a unique, high-entropy password for each account, then store every password in your password manager so you only need to memorize one master password. Most password managers include a built-in generator, but you can also use a standalone tool like SnapUtils and paste the result into your vault.

Are passphrases more secure than random passwords?

It depends on length and wordlist size. A 6-word passphrase drawn from the standard 7,776-word Diceware list has about 77.5 bits of entropy — stronger than most 12-character random passwords and far easier to memorize. A 16-character fully random password from the 94-character printable ASCII set achieves about 105 bits of entropy, which is stronger. For passwords you must type from memory (master passwords, encryption keys), a 6-word passphrase is practical and secure. For passwords stored in a password manager, a random character string is marginally stronger per character.

How does a cryptographically secure random password generator work?

A secure password generator uses the browser's built-in crypto.getRandomValues() API, which draws entropy from the operating system's hardware-based entropy pool. This produces output that is computationally indistinguishable from true randomness — unlike Math.random(), which is a predictable pseudorandom sequence. The generator maps random bytes to characters in the desired charset using rejection sampling to avoid modulo bias, ensuring a perfectly uniform distribution. Everything runs client-side in your browser; no password is ever sent to a server.

Should I use the same strong password for multiple accounts?

No. Even a very strong password becomes a liability when reused. If any one of the services you used it on suffers a data breach, attackers will test that password against every other service associated with your email address — a technique called credential stuffing. Every account must have its own unique password. A password manager makes this practical: generate a unique random password for each account, store them all in the manager, and never type or remember any of them except your master password.

Password Generator: How to Create Unbreakable Passwords

Published April 23, 2026 · SnapUtils Password Security Guide

Why Weak Passwords Are Still the #1 Attack Vector in 2026

Despite two decades of security warnings, "123456" and "password" remain among the most commonly used passwords worldwide. In 2026, credential stuffing — where attackers use previously leaked username/password pairs to break into new accounts — accounts for billions of automated login attempts every day. The reason it works is devastatingly simple: people reuse passwords across sites, and breached databases are bought and sold on dark web markets for pennies per record.

According to breach analysis reports, over 80% of hacking-related breaches involve weak or stolen passwords. Phishing, malware, and social engineering are all real threats — but the most efficient attack against most accounts is still just trying the password the target uses everywhere else. A truly random, unique password for every account closes that attack vector completely. A free password generator lets you create one in under a second.

What Is Password Entropy?

Entropy is the measure of unpredictability in a password, expressed in bits. The higher the entropy, the harder it is for an attacker to guess the password by brute force. The formula is straightforward:

Entropy (bits) = log₂(charset size^length) = length × log₂(charset size)

For example, a password drawn from a character set of 26 lowercase letters has log₂(26) ≈ 4.7 bits of entropy per character. An 8-character lowercase password therefore has roughly 4.7 × 8 = 37.6 bits of entropy. That sounds like a lot — but modern GPU-based password crackers can test billions of candidates per second, meaning a 37-bit password falls in hours.

Expand to 94 printable ASCII characters (lowercase + uppercase + digits + symbols) and each character contributes about 6.5 bits. An 8-character password from that set has 52 bits of entropy — still crackable in days or weeks with dedicated hardware. A 16-character password from the same set reaches 104 bits — a number that would take longer than the age of the universe to brute-force exhaustively, even with future hardware improvements.

Password	Charset Size	Length	Entropy (bits)	Crack Time (offline)
lowercase only	26	8	~37.6	Hours
Mixed alphanumeric	62	8	~47.6	Days
Full ASCII printable	94	8	~52.4	Weeks
Full ASCII printable	94	16	~104.9	Practically impossible
Full ASCII printable	94	20	~131.1	Far beyond feasible

Why Length Beats Complexity

Security professionals have repeated this for years: length matters more than complexity. Here is the math. An 8-character password using the full set of 94 printable ASCII characters has about 52 bits of entropy. A 20-character password using only lowercase letters (26 characters) has 20 × 4.7 = 94 bits of entropy. The longer, simpler password is astronomically harder to crack.

This is why the old advice — "use an uppercase letter, a number, and a symbol" — was always misleading. Adding one uppercase letter and one digit to an 8-character password moves the entropy from about 37 bits (lowercase only) to roughly 50 bits. That is a meaningful improvement, but nowhere near as effective as just making the password longer.

The brute-force time scales exponentially with length and only polynomially with character set size. Doubling the charset size from 50 to 100 characters adds one bit of entropy per character. Adding one character to the length adds log₂(charset) bits — typically 4.7 to 6.5 bits. Length wins, every time.

Time-to-Crack Comparison

Assuming a modern offline cracking rig testing 10 billion passwords per second:

Password Type	Entropy	Time to Crack (Brute Force)
8 chars, lowercase only	37.6 bits	~4 hours
8 chars, mixed case + digits + symbols	52.4 bits	~13 days
12 chars, lowercase only	56.4 bits	~2 months
16 chars, mixed case + digits + symbols	104.9 bits	>1 billion years
20 chars, lowercase only	94 bits	~620,000 years
4-word passphrase (7776-word wordlist)	51.7 bits	~13 days
6-word passphrase (7776-word wordlist)	77.5 bits	~3,500 years

Random Strings vs. Passphrases

There are two dominant approaches to generating high-entropy passwords: truly random character strings and word-based passphrases. Both are secure when done correctly. The right choice depends on whether you need to type or remember the password.

Random Character Strings

A password like X7#mK9pL@qR2vN5s achieves maximum entropy per character. Every position is independently random across the full character set, giving an attacker no patterns or structure to exploit. The downside is memorability — these passwords are essentially impossible to remember without a password manager. That is fine for 99% of passwords, since you should be using a password manager for most accounts anyway.

Passphrases

A passphrase combines random words: correct-horse-battery-staple (made famous by XKCD comic 936) or lavender-trumpet-snowfall-Jupiter. From a wordlist of 7,776 words (the Diceware standard), each word contributes log₂(7776) ≈ 12.9 bits of entropy. A 6-word passphrase reaches 77.5 bits — strong enough for almost any use case, and far easier to type and recall than a random string of the same entropy.

Passphrases are especially appropriate for master passwords (your password manager vault password, disk encryption, SSH keys) where you genuinely need to type the password from memory under pressure. For everything else, a random string stored in your password manager is the better choice.

The Anatomy of a Strong Password

A strong password has several structural properties, each contributing to its security:

Length

The single most important factor. Use a minimum of 16 characters for standard accounts (email, banking, social media). Use 20 or more for high-value accounts. Use a 6-word passphrase or 32+ character random string for master passwords and encryption keys. There is no upper limit — longer is always stronger.

Character Variety

Include uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and symbols (\!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~). Each additional character type expands the effective search space. However, as demonstrated above, character variety matters less than length — prioritize length first, variety second.

True Randomness

The password must be generated by a cryptographically secure source, not by a human. Humans are terrible random number generators. We unconsciously avoid certain character combinations, favor patterns, and bias toward keyboard proximity. A password that feels "random" to you has far less entropy than it appears. Use a proper random password generator — every time.

Uniqueness

Every account gets its own password. Password reuse turns a single breach into a master key. If an attacker gets your password from a breached forum you signed up for in 2018, they will try it on your email, your bank, your cloud storage, and every other site they know you use. One unique password per account breaks the chain completely.

What Makes a Password Weak

Understanding weak password patterns helps you recognize them in existing passwords that need to be changed.

Dictionary Words

Any single word found in a dictionary is vulnerable to dictionary attacks — attacks that test known words before trying random combinations. This includes words in any language, proper nouns, and names. "dragon", "sunshine", "liverpool", "jessica" — all crackable in milliseconds. Combining two dictionary words ("sunshinedragon") is better but still guessable with a compound-word attack.

Keyboard Patterns

Patterns like "qwerty", "123456", "qwerty123", "zxcvbn", "1qaz2wsx" are among the most commonly used passwords globally. Attackers include keyboard walk patterns in their dictionaries. Any sequence of adjacent keys — horizontal, diagonal, or in common shapes — is immediately vulnerable.

Personal Information

Birthdays, pet names, children's names, anniversaries, phone numbers, street addresses, and school names are all guessable through social engineering or public social media profiles. Even combinations like "emma1995" are trivially crackable. Personal information reduces entropy dramatically because the search space is the attacker's knowledge about you, not the mathematical space of all possible characters.

Sequential Numbers and Letters

"123456", "abcdef", "111111", "aaaaaa" — sequential and repeated patterns are included in every cracker's first-pass wordlist. They provide almost no actual entropy despite appearing to contain multiple characters.

Password Reuse

Even a genuinely strong password becomes a liability when it is reused. Credential stuffing attacks automate the testing of known passwords against thousands of services. A password that was strong when you created it becomes a skeleton key the moment any one of the services it was used on suffers a breach.

Generate a Strong Password Instantly

No sign-up, no watermarks. Set your desired length, choose your character types, and get a cryptographically secure random password in one click.

Generate Password →

Password Manager Tips

The core insight behind password managers is simple: the human brain is not designed to remember 200 unique, random, 20-character passwords. A password manager removes that requirement entirely. You memorize one strong master password and let the manager handle everything else.

How Password Managers Work

A password manager encrypts your vault — the database of all your stored passwords — using a key derived from your master password. The encryption (typically AES-256) happens locally on your device before any data is synced to the cloud. Even if the password manager's servers are breached, the attacker gets encrypted blobs that are useless without your master password. Your master password never leaves your device in plaintext.

Choosing a Password Manager

Look for an open-source or independently audited manager with a published security model. Leading options include Bitwarden (open source, self-hostable), 1Password, and KeePassXC (fully local). All major managers support browser extensions that auto-fill credentials, mobile apps, and secure sharing. Most offer free tiers sufficient for personal use.

Vault Backup

Export an encrypted backup of your vault periodically and store it somewhere separate from your primary device — an encrypted USB drive, a second cloud account, or a printed emergency sheet. Losing access to your vault without a backup is genuinely catastrophic for account recovery. Most password managers provide an export function; use it.

Common Password Mistakes That Feel Safe

Some password practices feel secure but provide minimal protection against modern attacks.

Leet-Speak Substitutions

Replacing letters with visually similar characters — "p@ssw0rd", "s3cur1ty", "Pa$$word" — adds almost no entropy. These substitutions are universally known and included in cracker rule sets. The password "P@$$w0rd" has the same practical security as "Password" against a dictionary attack with rules applied. It might fool a naive password strength meter; it will not fool a real attacker.

Using the Same Strong Password Everywhere

A 20-character random password is extremely strong. Reusing it across 50 sites means one breach of any of those 50 sites exposes all 50 accounts. Strength and uniqueness are both required. One without the other is insufficient.

Security Question Answers

Security questions are a parallel authentication channel — and one that is often weaker than your password. "Mother's maiden name", "first pet", and "childhood street" are guessable from social media profiles or public records. Treat security question answers as additional passwords: generate random strings for them, store them in your password manager, and never use real answers.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step beyond your password. Even if an attacker obtains your password through a breach or phishing, they cannot access your account without also passing the second factor. Enable 2FA on every account that offers it — especially email, banking, and any account used to reset other accounts.

TOTP Apps vs. SMS

Time-based one-time passwords (TOTP), generated by apps like Authy, Google Authenticator, or 1Password, are strongly preferred over SMS-based 2FA. SMS 2FA is vulnerable to SIM swapping attacks, where an attacker convinces your mobile carrier to transfer your phone number to their SIM card. TOTP codes are generated locally on your device and never transit the cellular network. If a service offers both, always choose TOTP.

Backup Codes

When you enable 2FA, every service generates a set of one-time backup codes for account recovery. Download and store these codes securely — in your password manager or printed in a physically secured location. Losing both your 2FA device and your backup codes simultaneously can result in permanent account lockout, even with the correct password.

How a Password Generator Works

Not all random number generators are created equal. A critical distinction exists between general-purpose pseudorandom number generators (PRNGs) and cryptographically secure pseudorandom number generators (CSPRNGs).

Why Math.random() Is Not Secure

JavaScript's Math.random() function is a PRNG seeded with a value that can often be predicted or inferred from timing information or other observable side channels. PRNGs produce output that is statistically random but algorithmically deterministic — if an attacker knows the seed or enough output, they can reconstruct the full sequence and predict what "random" values were generated. Using Math.random() to generate passwords means the passwords are not truly random, and in some environments they are predictable.

crypto.getRandomValues() — The Correct Approach

Browsers expose window.crypto.getRandomValues(), which draws entropy from the operating system's entropy pool — hardware events, interrupt timing, and other genuinely unpredictable sources. This is a CSPRNG: even with complete knowledge of previously generated values, an attacker cannot predict future output. Every reputable password generator, including SnapUtils, uses crypto.getRandomValues() exclusively. There is no fallback to Math.random().

The generation algorithm is straightforward: fill a typed array with random bytes using crypto.getRandomValues(), then map each byte to a character in the desired charset using modulo arithmetic (with rejection sampling to eliminate modulo bias). The result is a uniformly distributed random selection across the charset — mathematically indistinguishable from a physical dice roll over the character set.

Client-Side Generation

A well-designed password generator runs entirely in your browser. No password is ever transmitted to a server. The SnapUtils password generator generates all passwords client-side; nothing you generate is logged, stored, or sent anywhere. You can verify this by loading the tool and disconnecting from the internet — it continues to work, because no network call is required.