Password strength is not a vague feeling, it is a calculation grounded in mathematics and a clear threat model.
Loading Password Generator…
Plain English explanation of password entropy
Crack time estimates for common password types
The factors that actually matter for password security
Actionable guidance for stronger passwords
Drop the Password Generator into any page — blog post, product docs, intranet, school portal — with a single line of HTML. Your visitors get the full tool, processed entirely in their browser. No backend, no uploads, no signup.
Embed code
<iframe
src="https://www.fixtools.io/utilities/password-generator?embed=1"
width="100%"
height="780"
frameborder="0"
style="border:0;border-radius:16px;max-width:900px;"
title="Password Generator by FixTools"
loading="lazy"
allow="clipboard-write"
></iframe>Attribution-friendly: a small "Powered by FixTools" link appears in the embed footer.
Password strength is measured in bits of entropy, a single number that represents how unpredictable a password is to an attacker who knows the construction rules but not the specific value. The formula is straightforward. Entropy equals the base two logarithm of S raised to the power L, where S is the size of the character set the password was drawn from and L is the length of the password in characters. A password drawn from lowercase letters only, where S equals twenty six, at eight characters in length has approximately thirty seven point six bits of entropy. A password drawn from all ninety four printable ASCII characters at sixteen characters in length has approximately one hundred and five bits of entropy. The security difference between these two examples is enormous, because each additional bit of entropy doubles the number of guesses an attacker must make to find the password by brute force. Moving from thirty seven bits to one hundred and five bits multiplies the work factor by roughly two hundred and ninety five quintillion, a number so large that it ceases to have an intuitive meaning.
Crack time estimates depend heavily on the specific attack scenario you are defending against, and treating crack times as a single universal number is a common mistake that leads to wrong conclusions. In an online attack, where an attacker is guessing passwords through a real login form that imposes rate limiting, account lockouts, CAPTCHA challenges, and similar friction, even a relatively short password may be practically safe because the maximum attempt rate is bounded at a few attempts per second at best. In an offline attack, where the attacker has obtained a leaked hash of your password through a database breach, modern graphics processing unit clusters can test billions of candidate passwords per second with no rate limiting whatsoever. NIST SP 800-63B and most serious security researchers calibrate their strength recommendations around offline attack resistance because that is the scenario that makes bulk credential breaches dangerous. For offline attack resistance, a minimum of eighty bits of entropy is the widely cited threshold for a password to be considered strong.
Beyond raw entropy, practical password strength also depends critically on whether the password was constructed using patterns that attackers know about and search for first. A password like Summer2024! has eleven characters and includes uppercase, lowercase, digits, and a symbol, which superficially looks like it should be strong. Its actual security against a realistic attacker is far lower than the naive entropy calculation suggests, because it follows a pattern of season followed by year followed by symbol that appears in every modern password cracking dictionary and rule set. Password crackers run pattern based attacks long before they fall back to pure brute force, and patterns based on dates, names, common substitutions like at sign for letter a, and predictable structural rules are exhausted within seconds on commodity hardware. A truly random twelve character password is dramatically more resistant to cracking than a fourteen character password constructed from a personal phrase, even though the longer password looks superficially stronger.
A final consideration that often goes unmentioned is the role of prior breach exposure. A password that has appeared in a published data breach, even one from years ago, is now in every serious password cracker dictionary. From the attacker perspective, the password is functionally equivalent to a list lookup rather than a search problem. A previously breached password with twenty characters of mixed types is cracked the instant the attacker reaches the leaked credential dictionary in their attack pipeline, which happens within the first few seconds of any modern offline attack. The HaveIBeenPwned Passwords service lets you check whether a specific password has appeared in known breaches without transmitting the full password, and any positive match means the password should be retired immediately regardless of how strong it looks on paper.
After reading this guide, use the FixTools Password Generator to create passwords that meet the strength criteria described here.
Step-by-step guide to how strong is my password? understanding password strength:
Calculate your password's character space
Determine the character set size the password was drawn from. Lowercase letters only is twenty six characters. Adding uppercase brings it to fifty two. Adding digits brings it to sixty two. Adding common symbols brings it to ninety four. The larger the character space and the longer the password, the more total possible combinations exist and the harder the password is to brute force.
Estimate entropy in bits
Apply the formula entropy equals log base two of character space raised to the power length. Sixty bits is acceptable for most online accounts protected by rate limiting. Eighty bits is the widely cited threshold for offline attack resistance. One hundred bits or more provides a substantial margin against foreseeable advances in cracking hardware over the next decade.
Check for known patterns
Inspect the password for predictable structural patterns such as dictionary words, dates, name plus number combinations, sequential digits, or letter for symbol substitutions like at sign for a. If any are present, the real security is far lower than the entropy calculation suggests, because pattern based attacks exhaust these constructions in seconds on modern hardware before pure brute force begins.
Generate a replacement if needed
If your analysis reveals that an existing password falls short on either entropy or pattern resistance, replace it. Use the FixTools Password Generator to create a fresh credential of adequate length drawn from a wide character pool by cryptographic randomness, then update the corresponding account and save the new value into your password manager.
Common situations where this approach makes a real difference:
Security audit preparation
A security conscious user preparing to conduct a personal credential audit reads this guide first so they have a concrete framework for categorising their existing passwords. They use the entropy formula to estimate the true strength of each stored password, sort the list by weakness, and prioritise replacing the lowest entropy credentials on the highest value accounts before working through the long tail of less critical logins.
Team security training
A security manager preparing a fifteen minute lunch and learn session on password hygiene uses the entropy framework from this guide as the backbone of their explanation. The plain English version of bits of entropy and crack time gives non technical staff a mental model that lets them evaluate their own passwords confidently, rather than walking away with a vague impression that longer is better but no concrete number to aim for.
Password policy design
A developer designing the password requirements for a new application uses this guide to set policy based on actual entropy targets such as a minimum of sixty bits combined with a breach list check, rather than copying the arbitrary complexity rules that other applications use. The result is a policy that delivers real security without frustrating users into adopting predictable patterns just to satisfy a checklist.
Read this guide to understand whether your existing passwords are truly strong, or before creating important passwords to know what to aim for.
Get better results with these expert suggestions:
Run a personal password audit once a year
Set a recurring annual reminder to review every password stored in your manager and flag any that are shorter than sixteen characters, reused across multiple sites, or older than two years. Prioritise replacing the credentials for email, banking, and the password manager itself first because those accounts gate access to everything else, then work through the rest in descending order of value. A systematic annual review prevents the slow drift of credential hygiene that otherwise accumulates unnoticed over years.
Check passwords against the HaveIBeenPwned database
The HaveIBeenPwned Passwords API lets you check whether a specific password has appeared in known data breaches without transmitting the full password to the service. The API uses a k anonymity model where only the first five characters of the password hash are sent, and the service returns all matching hash suffixes for you to compare locally. If a password you use appears in the breach database, replace it immediately regardless of how strong its entropy looks, because exposure in a breach is independent of strength.
Treat visual strength meter scores with scepticism
Most password strength meters embedded in sign up forms measure only the most superficial properties such as length, character type variety, and the presence of obvious dictionary words. They do not detect subtle patterns like season plus year plus symbol or name plus birth year constructions that are weak in practice but score high on these meters. A green strength bar does not guarantee genuine strength, and only true randomness combined with adequate length actually delivers the security the meter implies.
Design password policies around entropy, not complexity rules
If you have responsibility for setting password requirements in an application or organisation, base your policy on minimum entropy targets such as sixty or eighty bits combined with a breach list check, rather than arbitrary rules like must contain at least one symbol. NIST SP 800-63B explicitly recommends against complexity rules and in favour of length minimums combined with breach checks. Complexity rules frustrate users into predictable workarounds without meaningfully improving security in any measurable way.
Length is the most important factor
Each additional character of length increases the number of possible passwords exponentially. A 20-character lowercase-only password is vastly stronger than an 8-character password with every symbol type.
Avoid substitutions and patterns
"P@ssw0rd" is not strong. Attackers know about substitution patterns (@ for a, 0 for o, 3 for e) and they are included in all modern password dictionaries. These modifications provide almost no additional security.
Complexity alone is not enough without length
An 8-character password that uses all character types can be cracked in hours with modern hardware. The same password extended to 16 characters would take decades. Always prioritise length first, then complexity.
More use-case guides for the same tool:
Other tools you might find useful:
Open the full Password Generator — free, no account needed, works on any device.
Open Password Generator →Free · No account needed · Works on any device