🔑
Security
Password Generator FAQ — Strong Passwords, Security & Best Practices
Answers about password security: how long should a password be, what makes a strong password, password managers, and two-factor authentication.
Q1 How long should a password be?
NIST recommends a minimum of 8 characters, but 12-16+ characters is significantly more secure. Each additional character multiplies the search space exponentially. Generate strong passwords with the Password Generator.
Q2 What makes a strong password?
A strong password is: (1) long — at least 12 characters; (2) random — not based on words, names, or patterns; (3) unique — different for every account; (4) mixed — uses uppercase, lowercase, numbers, and symbols.
Q3 Are password generators safe?
Yes, when they use cryptographically secure random number generators. The Password Generator runs entirely in your browser using
crypto.getRandomValues(). No passwords are sent to any server.
Q4 Should I use a password manager?
Yes. Password managers (1Password, Bitwarden, KeePass) solve the core problem: you need a unique, strong password for every account but cannot remember hundreds. You only need one master password.
Q5 What is a passphrase?
A passphrase is a sequence of random words: "correct horse battery staple". Passphrases are easier to type and remember while being equally secure if long enough. A 5-word Diceware passphrase (~65 bits of entropy) is strong for most uses.
Q6 How often should I change my password?
NIST 2024 guidelines recommend against mandatory periodic changes — they lead to weaker passwords. Change only when: (1) you suspect compromise; (2) a service reports a breach; (3) you shared it temporarily.
Q7 What is two-factor authentication (2FA)?
2FA adds a second verification step: something you have (phone, hardware key) or something you are (fingerprint). Common methods: TOTP apps (most recommended), SMS codes (vulnerable to SIM swapping), hardware keys (most secure).
Q8 What is entropy in passwords?
Entropy measures password strength in bits. A 12-character password from 95 printable ASCII characters has ~79 bits of entropy. Higher entropy = harder to crack. 40 bits = weak, 60 = moderate, 80+ = strong, 128+ = uncrackable.
Q9 How do hackers crack passwords?
Methods: (1) brute force — try every combination; (2) dictionary attacks — try common words; (3) credential stuffing — use leaked databases; (4) rainbow tables — precomputed hash lookups; (5) phishing. Strong, unique passwords defend against all except phishing.
Q10 What passwords are most commonly used?
The most common passwords: 123456, password, 123456789, qwerty, 12345678. These are cracked instantly. Never use any dictionary word, name, date, or keyboard pattern. Use a random generator instead.
Q11 Is it safe to write passwords down?
Physical notes are safer than reusing passwords, but worse than a password manager. If you must write them down: store in a locked drawer, never label them as passwords, and destroy when no longer needed.
Q12 What is a credential leak?
A credential leak occurs when a service is breached and its user database is exposed. Check if your email is in known breaches at haveibeenpwned.com. Defense: use unique passwords per account and enable 2FA.
Q13 What is the difference between hashing and encrypting passwords?
Passwords should be hashed, not encrypted. Hashing is one-way — even the service cannot recover your password. Encryption is two-way — if the key is stolen, all passwords are exposed.
Q14 Should passwords include special characters?
Special characters help, but length matters more. A 16-character lowercase-only password is stronger than an 8-character complex one. Use both length and complexity for maximum security.
Q15 How do I generate a random password in Python?
Use the
secrets module (cryptographically secure): import secrets, string; alphabet = string.ascii_letters + string.digits + string.punctuation; password = ''.join(secrets.choice(alphabet) for _ in range(16)). Never use random for passwords.
Q16 What is a brute-force attack?
A brute-force attack tries every possible password combination. At 10 billion guesses/second: 6-char lowercase takes 3 seconds; 8-char mixed takes 17 hours; 12-char mixed takes 200+ years. Length is your best defense.
Q17 Are biometric passwords secure?
Biometrics are convenient but have limitations: they cannot be changed if compromised, can be fooled, and courts may compel biometric access. Use biometrics as a second factor alongside a strong password.
Q18 What is a hardware security key?
A hardware security key (YubiKey, Google Titan) is a physical USB/NFC device for cryptographic authentication. It is the strongest form of 2FA — immune to phishing, no batteries, works offline.
Q19 How do I create a memorable but strong password?
Use a passphrase: combine 4-6 random words from a Diceware list: "maple-rocket-seven-cloud-piano". Or use the Password Generator and save it in a password manager.
Q20 What is passwordless authentication?
Passwordless auth eliminates passwords entirely, using: magic links, passkeys (WebAuthn/FIDO2), biometrics, or hardware keys. Passkeys are the leading standard — supported by Apple, Google, and Microsoft.
Free Security Tools
All tools run in your browser — no signup, no data sent to servers.