A strong password has three properties: length (longer is always better), randomness (not based on predictable patterns), and character variety (mix of uppercase, lowercase, numbers, and symbols).
Password strength by length
| Length | Estimated brute-force time |
|---|---|
| 8 characters | Minutes to hours |
| 12 characters | Months to years |
| 16 characters | Centuries |
| 20+ characters | Practically uncrackable |
These estimates assume a sophisticated attacker running billions of guesses per second with GPU acceleration. Real-world attackers usually target reused passwords first — which is why uniqueness matters as much as length.
Why Math.random() is NOT secure
Most basic password generators use JavaScript's Math.random() — a pseudorandom function whose output is deterministic and predictable given the internal seed. In cryptographic terms, it has insufficient entropy.
Privatool's password generator uses crypto.getRandomValues(), part of the Web Cryptography API, which draws entropy from the operating system's cryptographically secure random number generator (CSPRNG). This is the same source used by password managers and cryptographic libraries.
How to generate a strong password
- Go to Password Generator
- Set length to at least 16 characters
- Enable all character sets: uppercase, lowercase, numbers, symbols
- Optionally exclude ambiguous characters (
0,O,l,1) if you need to type the password manually - Click Generate — or generate up to 5 at once for comparison
Password best practices
- Never reuse passwords across different accounts
- Use a password manager — you only need to remember one master password
- Enable two-factor authentication (2FA) on all important accounts
- Never store passwords in plain text files, browser notes, or email drafts
Recommended password managers
- Bitwarden — free, open source, cross-platform
- 1Password — excellent UX, subscription-based
- KeePassXC — offline, open source, no cloud