Saved

Utilix knowledge base

How to Generate and Manage Secure Passwords

Published Apr 17, 2026

A weak password is the single most common entry point for account compromises. This guide explains what makes passwords strong, how secure random generation works, and how to manage many strong passwords in practice.

What Makes a Password Strong?

The strength of a password is determined by its entropy — the number of possible combinations an attacker would need to try:

Entropy (bits) = log₂(character_set_size ^ length)
               = length × log₂(character_set_size)
Character setSize12-char entropy16-char entropy
Lowercase only2656 bits75 bits
Lower + upper5268 bits91 bits
Lower + upper + digits6271 bits95 bits
All printable ASCII9579 bits105 bits

Current recommendations (NIST SP 800-63B):

  • Minimum 12 characters for user-created passwords
  • No mandatory complexity rules (length matters more)
  • Check against known-breached password lists
  • Don't force periodic rotation without evidence of compromise

How Password Generators Work

A secure password generator uses a cryptographically secure random number generator (CSPRNG) — not Math.random(), which is predictable. In browsers, this is crypto.getRandomValues().

The process:

  1. Define the character pool (e.g., all printable ASCII: 95 characters).
  2. Call crypto.getRandomValues() to get a cryptographically random byte.
  3. Map the byte to a character in the pool (with rejection sampling to avoid modulo bias).
  4. Repeat until the desired length is reached.

Password Types and When to Use Them

TypeExampleStrengthMemorability
Random ASCIIk#9Lm@qZ2eT!Very highVery low
Random alphanumericK9mQ2eLzTa8xHighLow
Passphrase (4–6 words)correct-horse-battery-stapleHighMuch better
PIN847261LowEasy

Passphrases from large wordlists (100,000+ words) can achieve 80+ bits of entropy while remaining memorable. Each word adds ~17 bits (log₂ 100,000 ≈ 16.6).

The Biggest Mistakes

  1. Reusing passwords. One breach exposes all accounts. A database dump is publicly searchable within days.
  2. Substitutions like p@ssw0rd. These patterns are in every dictionary attack list.
  3. Personal information. Birthdates, names, and pet names are tried first.
  4. Short passwords. 8-character passwords can now be brute-forced in hours with specialised hardware.
  5. Storing passwords in a text file or browser only. Neither is encrypted by default.

Using a Password Manager

A password manager generates and stores unique strong passwords for every account, encrypted with a master password. You only memorise one password — the manager handles the rest.

How to set one up:

  1. Choose a reputable manager (1Password, Bitwarden, KeePass, Dashlane).
  2. Generate and store a strong master password — write it on paper and store it safely.
  3. Import or gradually migrate your existing accounts.
  4. Enable 2FA on the password manager itself.

Open-source option: Bitwarden (fully audited, free tier) or KeePassXC (fully local, no cloud).

Generate a strong random password instantly with the Password Generator.