Updated: 2026-07-11
中文 EN

How to Safely Generate Strong Passwords: Cryptography Principles and Practice

📅 July 4, 2025 ⏱️ 8 min read 🏷️ Security Guide

Passwords are the first line of defense in the digital world. Statistics show that over 80% of data breaches involve weak or reused passwords. But the advice "use a strong password" is too vague—what exactly makes a password strong, and why? This article starts from the cryptographic concept of entropy, dissects common attack methods, and teaches you how to generate truly secure passwords using scientific methods.

The Mathematical Foundation of Password Strength: Entropy

In cryptography, password strength is measured by information entropy (Shannon Entropy), in bits. The higher the entropy, the harder the password is to guess or crack. The formula is:

H = L × log₂(N)

Where:

For example, an 8-character password using only lowercase letters (N=26):

H = 8 × log₂(26) ≈ 8 × 4.7 = 37.6 bits

And a 16-character password using uppercase, lowercase, digits, and symbols (N≈94):

H = 16 × log₂(94) ≈ 16 × 6.55 = 104.8 bits

Each additional bit doubles the cracking difficulty. From 37.6 to 104.8 bits, the difficulty increases by about 2^67—a truly astronomical number.

Password Entropy Rating Scale

NIST's latest guidelines recommend: minimum 8 characters, ideally 15 or more. OWASP explicitly recommends at least 12 characters.

Common Password Attack Methods

Understanding how attacks work is the first step to defending against them:

1. Brute Force Attack

The attacker tries every possible character combination. Efficiency depends on password entropy and attacker computing power. A single NVIDIA RTX 4090 can attempt billions of SHA-256 hashes per second. An 8-character all-digits password is cracked within seconds.

2. Dictionary Attack

Instead of trying all combinations, the attacker uses a precompiled "password dictionary" containing common passwords, words, phrases, and variants (e.g., Password1, P@ssw0rd). Statistics show the top 1,000 common passwords cover about 90% of user accounts.

3. Credential Stuffing

Username-password pairs leaked from Site A are bulk-tested against Sites B, C, and D. If you reuse passwords across platforms, a breach on one platform compromises all others. According to Verizon, nearly 50% of data breaches involve credential theft.

4. Rainbow Table Attack

Targets unsalted password hashes. Attackers precompute hashes of common passwords and build a "hash → plaintext" mapping table. Systems using MD5/SHA1 without salting are especially vulnerable.

5. Social Engineering

The most efficient attack often requires no technical skill. Phishing emails, fake customer support, and social manipulation can extract passwords directly. No password is strong enough against deliberate disclosure.

How to Use a Password Generator Correctly

The password generator is the best tool for creating high-entropy passwords, but it must be used correctly to be effective.

Principle 1: Use a Cryptographically Secure Random Source

Standard Math.random() is a pseudo-random number based on a seed value and is predictable. A proper password generator should use crypto.getRandomValues(), which sources randomness from OS-level entropy (hardware noise, interrupt timing, etc.):

// ❌ Insecure pseudo-random
function weakRandom(length) {
  const chars = 'abcdefghijklmnopqrstuvwxyz';
  let result = '';
  for (let i = 0; i < length; i++) {
    result += chars.charAt(Math.floor(Math.random() * chars.length));
  }
  return result;
}

// ✅ Cryptographically secure random
function secureRandom(length) {
  const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*';
  const array = new Uint32Array(length);
  crypto.getRandomValues(array);
  return Array.from(array, x => chars[x % chars.length]).join('');
}

Principle 2: Prioritize Length Over Complexity

A 20-character all-lowercase password (entropy ≈ 94 bits) is more secure than a 10-character mixed password (entropy ≈ 65 bits). Length is the most effective way to increase entropy.

Recommended settings:

Principle 3: Exclude Ambiguous Characters

If you need to type the password manually (WiFi passwords, hardware tokens), exclude ambiguous characters: 0 vs O, l vs 1 vs I. Good generators provide a one-click exclusion option.

Principle 4: Unique Password per Account

This is the only defense against credential stuffing. The human brain cannot remember dozens of complex passwords, so a password manager (Bitwarden, 1Password, KeePass, etc.) is essential.

Secure Password Storage Practices (Developer Perspective)

If you are a developer handling user passwords, follow these principles:

  1. Never store plaintext passwords. Always store hashes
  2. Use dedicated password hashing algorithms: bcrypt, scrypt, or Argon2—not MD5/SHA-256
  3. Add a random salt. Each user gets a unique random salt to defeat rainbow tables
  4. Set an appropriate work factor. bcrypt cost factor of at least 10–12, making hashing take >100ms
  5. Implement login rate limiting. Prevent online brute-force attacks
// Node.js bcrypt example
const bcrypt = require('bcrypt');
const saltRounds = 12;

// Hash at registration
const hash = await bcrypt.hash(plaintextPassword, saltRounds);

// Verify at login
const match = await bcrypt.compare(inputPassword, storedHash);

Two-Factor Authentication: The Ultimate Password Booster

Even with a strong password, enabling 2FA/MFA is critical. Recommended priority:

  1. Hardware security keys: YubiKey, Titan Security Key (strongest phishing resistance)
  2. TOTP apps: Google Authenticator, Aegis, Microsoft Authenticator
  3. SMS verification: Last resort—vulnerable to SIM swapping

Conclusion

Password security is not mysticism—it is quantifiable science. Through entropy formulas we can precisely calculate password strength; by understanding attack methods we can target our defenses. The password generator, combined with a password manager and two-factor authentication, forms a three-layer protection system for modern digital identity. Remember: security is a habit, not a one-time task.

🛠️ Related Tools

Password Generator Hash Generator UUID Generator Base64 Encoder Random Number Generator