What Makes a Password Strong?
Password strength is determined by entropy — the number of possible combinations an attacker must try to guess it. Entropy is measured in bits: each additional bit doubles the number of possible passwords. A 16-character password using uppercase, lowercase, digits, and symbols has approximately 96 bits of entropy — strong enough that even a trillion guesses per second would take longer than the age of the universe to crack.
| Password Type | Example | Entropy | Time to Crack (1T tries/sec) |
|---|
| 6 lowercase | banana | 28 bits | Instant |
| 8 chars mixed | P@ss1234 | 52 bits | 2 minutes |
| 12 chars mixed | Tr0ub4dor&3 | 72 bits | 35 years |
| 16 chars mixed | X9#mK2@pL5!nR8$v | 96 bits | Longer than universe |
| 5 random words | correct-horse-battery | 58 bits | 500 years |
Password Security in India — The Threat Landscape
India is among the top 5 countries globally for data breach incidents. Major breaches affecting Indian users include the CoWIN portal (2023), MobiKwik (2021), BigBasket (2020), and numerous banking credential phishing campaigns. The most commonly compromised passwords in India are predictable: names followed by birth years (Rahul1990), mobile numbers, and simple sequences (123456, password123).
💡 Use a different password for every account. A password manager (Bitwarden is free and open source) lets you generate and store unique strong passwords for every site without memorising them.
How Our Password Generator Works
Passwords are generated using crypto.getRandomValues() — the Web Cryptography API that provides cryptographically secure random numbers. This is the same randomness source used by browsers for TLS encryption. The random values are mapped to the character pool you select, ensuring each character is independently and uniformly random.
⚠️ Avoid password generators that use Math.random() — it is not cryptographically secure and produces predictable sequences on some systems. Always use tools that explicitly state they use the Web Crypto API or an equivalent secure random source.
Should I use a passphrase instead of a random password?
Passphrases (4–5 random common words: "correct horse battery staple") are easier to remember than random character strings and can be equally strong. A 5-word passphrase has about 65 bits of entropy — strong enough for most purposes. Use random character passwords for accounts with password managers; use passphrases for the few passwords you must memorise (computer login, password manager master password).
How often should I change my passwords?
Current NIST guidelines (2024) recommend against mandatory regular password changes unless there is evidence of compromise. Frequent changes lead users to choose weaker passwords (Password1 → Password2 → Password3). Change your password when: (1) there is a breach at the service, (2) you suspect your account was compromised, or (3) you shared it with someone who no longer needs access.
Is a 12-character password enough?
For most purposes, yes. A 12-character password using all character types has ~72 bits of entropy — computationally infeasible to brute-force. However, if the service's password database is breached and stored with weak hashing, shorter passwords are more vulnerable. Use 16+ characters for financial accounts.