The conventional wisdom about passwords uppercase, lowercase, numbers, symbols, change it every 90 days has been largely abandoned by security researchers. NIST's updated guidelines (SP 800-63B) take a very different approach. Generate a cryptographically secure password with the Password Generator built on the Web Crypto API.
Why Length Matters More Than Complexity
Password strength is fundamentally about entropy: the number of possible combinations an attacker must try. A 12-character password using all character classes has roughly 7212 combinations. A 20-character lowercase-only passphrase has 2620 combinations approximately 18 orders of magnitude more. Length wins.
A GPU cracking rig can test billions of 8-character passwords per second. Against a well-implemented password hash (bcrypt, Argon2, scrypt), speed is limited by the hash function but a 16+ character password is still far more resistant to offline cracking than a short complex one.
NIST Password Guidelines (SP 800-63B)
The NIST SP 800-63B guidelines recommend:
- Minimum 8 characters for user-selected passwords (15+ recommended)
- Maximum length of at least 64 characters
- Do not mandate complexity rules they produce predictable patterns (Password1!, Welcome123#)
- Do not require periodic changes only if compromise is suspected
- Do check against breached password lists reject passwords found in Have I Been Pwned
What Makes the Generated Password Cryptographically Secure?
The Password Generator uses window.crypto.getRandomValues() the browser's cryptographically secure pseudo-random number generator (CSPRNG). Unlike Math.random(), which is predictable, CSPRNG output is computationally indistinguishable from true randomness for any practical purpose. Use the generated hash output with the Hash Generator to create deterministic derivations if needed.
Password Manager or Passphrase?
The only sustainable approach to password security: use a password manager (Bitwarden, 1Password, KeePass) to generate and store a unique high-entropy password for every account. The master password should be a long passphrase four to six random common words: memorable for humans, effectively uncrackable for machines.
Frequently Asked Questions
How long should a password be?
For accounts protected by online login (rate-limited): 12 characters minimum. For offline-crackable contexts (encrypted files, private keys): 16+ characters. For administrative accounts and high-value services: 20+ characters. The marginal cost of 8 extra characters is one second of thought; the security improvement is billions of times greater resistance to brute force.
Is it safe to use an online password generator?
Yes, if it uses the browser's CSPRNG and does not send passwords to a server. The Password Generator runs entirely in your browser nothing is transmitted. You can verify this by using it offline.
What is a good password for a developer API key?
For machine-to-machine credentials: generate a 32+ character random string with full character classes, or use a 256-bit random hex string (64 hex characters). These are effectively unguessable and hash identically to any other random string.