Utilix knowledge base
How to Generate and Manage Secure Passwords
Published Apr 17, 2026
A weak password is the single most common entry point for account compromises. This guide explains what makes passwords strong, how secure random generation works, and how to manage many strong passwords in practice.
What Makes a Password Strong?
The strength of a password is determined by its entropy — the number of possible combinations an attacker would need to try:
Entropy (bits) = log₂(character_set_size ^ length)
= length × log₂(character_set_size)
| Character set | Size | 12-char entropy | 16-char entropy |
|---|---|---|---|
| Lowercase only | 26 | 56 bits | 75 bits |
| Lower + upper | 52 | 68 bits | 91 bits |
| Lower + upper + digits | 62 | 71 bits | 95 bits |
| All printable ASCII | 95 | 79 bits | 105 bits |
Current recommendations (NIST SP 800-63B):
- Minimum 12 characters for user-created passwords
- No mandatory complexity rules (length matters more)
- Check against known-breached password lists
- Don't force periodic rotation without evidence of compromise
How Password Generators Work
A secure password generator uses a cryptographically secure random number generator (CSPRNG) — not Math.random(), which is predictable. In browsers, this is crypto.getRandomValues().
The process:
- Define the character pool (e.g., all printable ASCII: 95 characters).
- Call
crypto.getRandomValues()to get a cryptographically random byte. - Map the byte to a character in the pool (with rejection sampling to avoid modulo bias).
- Repeat until the desired length is reached.
Password Types and When to Use Them
| Type | Example | Strength | Memorability |
|---|---|---|---|
| Random ASCII | k#9Lm@qZ2eT! | Very high | Very low |
| Random alphanumeric | K9mQ2eLzTa8x | High | Low |
| Passphrase (4–6 words) | correct-horse-battery-staple | High | Much better |
| PIN | 847261 | Low | Easy |
Passphrases from large wordlists (100,000+ words) can achieve 80+ bits of entropy while remaining memorable. Each word adds ~17 bits (log₂ 100,000 ≈ 16.6).
The Biggest Mistakes
- Reusing passwords. One breach exposes all accounts. A database dump is publicly searchable within days.
- Substitutions like
p@ssw0rd. These patterns are in every dictionary attack list. - Personal information. Birthdates, names, and pet names are tried first.
- Short passwords. 8-character passwords can now be brute-forced in hours with specialised hardware.
- Storing passwords in a text file or browser only. Neither is encrypted by default.
Using a Password Manager
A password manager generates and stores unique strong passwords for every account, encrypted with a master password. You only memorise one password — the manager handles the rest.
How to set one up:
- Choose a reputable manager (1Password, Bitwarden, KeePass, Dashlane).
- Generate and store a strong master password — write it on paper and store it safely.
- Import or gradually migrate your existing accounts.
- Enable 2FA on the password manager itself.
Open-source option: Bitwarden (fully audited, free tier) or KeePassXC (fully local, no cloud).
Generate a strong random password instantly with the Password Generator.