What Makes a Password Actually Strong (and How to Build One)

Most password advice is stuck in 2010. "Use a capital letter and a number" doesn't stop modern attacks — attackers use GPU rigs that test billions of guesses per second against leaked hashes. If you want a password that actually holds up, you need to think about entropy, not just complexity rules.

This post walks through what makes a password mathematically strong, how to generate one in three different ways depending on the situation, and how to verify it before you commit to using it.

What "strong" actually means

A password's strength is measured in entropy — the number of guesses an attacker would need to crack it, expressed in bits. Each extra bit doubles the work required.

• 40 bits — crackable in seconds on a modern GPU. Avoid.
• 60 bits — minutes to hours. Still not enough for important accounts.
• 80 bits — years on dedicated hardware. Reasonable minimum.
• 100+ bits — effectively uncrackable with current technology.

Entropy depends on two things: the size of the character set you pull from, and the length of the password. Length wins. A 20-character lowercase password is stronger than a 10-character password using every symbol on your keyboard.

Method 1: Random character passwords

This is the gold standard for accounts where you'll never type the password manually — only your password manager will use it.

Build one in your browser console

Open any browser's DevTools console and paste this:

Array.from(crypto.getRandomValues(new Uint8Array(20))).map(b => 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*'[b % 70]).join('')

That generates a 20-character password using cryptographically secure randomness — roughly 122 bits of entropy. Example output: k7$Rm2pXqL9!vNbT4@hF.

Why not just mash the keyboard?

Humans are terrible random number generators. We unconsciously favor certain key patterns, alternate hands, and avoid awkward combinations. Attackers know this and weight their guesses accordingly. Always use a source of cryptographic randomness — crypto.getRandomValues(), /dev/urandom, or your password manager's built-in generator.

Method 2: Passphrases you can actually remember

For passwords you do need to type — your device login, your password manager's master password, your disk encryption key — random characters are impractical. Use a passphrase instead.

The Diceware approach

Diceware uses physical dice to pick random words from a list of 7,776 options. Each word adds about 12.9 bits of entropy.

1. Roll five dice (or one die five times).
2. The five-digit result maps to a word on the Diceware list (e.g., 43261 → orbit).
3. Repeat six or seven times.
4. String the words together with spaces or dashes.

Six words gives you about 77 bits — strong. Seven words gives you 90 bits — very strong. Example: orbit-tractor-fennel-bishop-cloud-anvil-tango.

Why passphrases beat "clever" substitutions

Replacing password with p@ssw0rd! adds maybe 2 bits of real entropy because attackers run those substitutions automatically. A passphrase with truly random words is dramatically harder to brute-force, even though it looks simpler.

Method 3: Let your password manager do it

For 99% of your accounts, you shouldn't be generating passwords manually at all. A password manager handles generation, storage, and autofill.

• Bitwarden — free, open source, self-hostable.
• 1Password — paid, polished, excellent family sharing.
• KeePassXC — local-only, no cloud sync by default.
• Browser built-ins — Chrome, Firefox, and Safari all generate and store passwords now.

Configure your manager to generate 20+ character passwords with full symbol sets for every new account. You'll never see or type these passwords — they exist only inside the vault.

Rules that still matter

Unique per account, always

The single biggest risk isn't weak passwords — it's reused passwords. When one site gets breached (and they do, constantly), attackers try those credentials against every other site. A unique password per account contains the damage to that one site.

Skip the rotation theater

NIST officially dropped the "change your password every 90 days" rule years ago. Forced rotation makes people pick weaker, more predictable passwords. Only change a password if you suspect it's been compromised.

Check for prior breaches

Before settling on any password, verify it hasn't appeared in a known data breach. Services like Have I Been Pwned's Pwned Passwords API let you check without sending the actual password — they use a k-anonymity model where you only send the first five characters of the SHA-1 hash.

Add a second factor

Even the strongest password is one phishing attack away from being stolen. Enable TOTP-based 2FA (Authy, Aegis, 1Password) or hardware keys (YubiKey) on anything important: email, banking, GitHub, your domain registrar.

Verify before you commit

Once you've generated a password, test it. A strength checker estimates how long it would take to crack using realistic attack models — dictionary attacks, pattern matching, common substitutions, and pure brute force.

Run your candidate password through the AXOX Hub Password Strength Checker to see its estimated entropy, time-to-crack across different attack scenarios, and any weaknesses the analyzer detects. If it flags your password as crackable in less than a few centuries of GPU time, regenerate and try again.

Start with one account — your email, since that's the recovery vector for everything else — and work outward. Generate a fresh password, verify it with the strength checker, store it in your manager, and enable 2FA before moving on.