What Makes a Password Strong: Entropy
Password strength is measured in entropy bits. The formula: entropy = logโ(charset size ^ length) Charset sizes: โข Lowercase only (aโz): 26 characters โข Lowercase + uppercase: 52 characters โข Alphanumeric (aโz, AโZ, 0โ9): 62 characters โข Full printable ASCII (including symbols): 94 characters Entropy examples: โข 8-char password, lowercase only: logโ(26โธ) = 37.6 bits โ very weak, crackable in seconds โข 8-char password, full charset (94): logโ(94โธ) = 52.4 bits โ weak, crackable in hours with GPU โข 12-char password, full charset: logโ(94ยนยฒ) = 78.6 bits โ strong โข 16-char password, lowercase only: logโ(26ยนโถ) = 75.3 bits โ comparable to 12-char full charset โข 20-char password, lowercase only: logโ(26ยฒโฐ) = 94.1 bits โ very strong Conclusion: length contributes more entropy than adding character types. A 20-character lowercase random string (94 bits) is stronger than a 12-character full-charset string (78.6 bits).
The NIST 2024 Password Guidelines
The US National Institute of Standards and Technology updated its password guidelines in 2024 (NIST SP 800-63B). Key changes from old advice: Stop requiring periodic rotation: forcing users to change passwords every 90 days leads to weaker passwords (people increment a number or flip a letter). NIST now recommends only changing passwords when there is evidence of compromise. Stop requiring complexity rules: mandatory uppercase + number + symbol requirements produce predictable substitutions (P@ssw0rd, Iloveyou1!). Random length matters more. Do require minimum length: at least 8 characters for user-created passwords, 6 for OTPs. Support up to 64+ characters to allow long passphrases. Do check against known breached passwords: reject passwords that appear in data breach databases (HaveIBeenPwned API). A 15-character password that appeared in a breach is weaker than an obscure 10-character one. Use a password manager: the only practical way to have unique, random, long passwords for every service.
Passphrases: Long, Memorable, and Secure
A passphrase is a sequence of random words: correct-horse-battery-staple (from the famous XKCD comic). Four random words from a 7,776-word list (standard dice ware wordlist) gives logโ(7776โด) = 51.7 bits of entropy. Five words gives 64.6 bits โ as strong as a 12-character random character password. The advantage: passphrases are much easier to remember and type than random character strings. For passwords you must type from memory โ laptop login, password manager master password, Wi-Fi password, encrypted disk โ a passphrase is the best choice. For everything else, generate a 16โ20 character random string and store it in a password manager. You do not need to remember it โ the manager does.
Password Security Best Practices in 2025
1. Use a different password for every account. If one site is breached, unique passwords prevent attackers from accessing other accounts with the same credentials. 2. Use a password manager (Bitwarden, 1Password, KeePass). This is the single most impactful change most people can make. 3. Enable two-factor authentication (2FA) on important accounts. A strong password + 2FA is far more secure than a perfect password alone. 4. Check if your email has appeared in breaches at haveibeenpwned.com. If yes, change the password for that service immediately. 5. Generate passwords with a CSPRNG. Do not make up passwords mentally โ human-chosen passwords are predictable even when they feel random. The ToolMint Password Generator uses the Web Crypto API (crypto.getRandomValues), which is a cryptographically secure random number generator.