Short answer

A security guide to password length, randomness, uniqueness, offline attacks, and multi-factor authentication.

01

Entropy is a model, not a guarantee

A random password of length L drawn from N symbols has roughly L × log2(N) bits of theoretical entropy. The estimate only applies when selection is genuinely random. Human patterns, dictionary words, keyboard walks, and appended years shrink the real search space.

A strength meter is therefore a comparison signal. A transformed word such as 'P@ssword2026!' can be predictable, while a longer value generated by a password manager is usually stronger.

02

Crack time depends on assumptions

Online guessing is constrained by rate limits, lockouts, and MFA. Offline guessing after a database leak depends on the password hash, cost setting, and attacker hardware. Attempt rates can differ by millions of times, so no single crack-time number is universal.

Read estimates as scenarios. Services should use a password-specific function such as Argon2id, scrypt, or appropriately configured bcrypt with unique salts.

03

Choose long, random, and unique

Uniqueness across accounts can matter more than a small increase in complexity. Reusing one strong password lets a breach spread. A manager makes 16–24 random characters practical.

For a master password, a long passphrase built from independently selected random words can work well. A meaningful sentence chosen by a person is less random, so evaluate the generation method too.

  • Use a unique value per account.
  • Generate with a password manager where possible.
  • Prefer phishing-resistant MFA over SMS.
  • Change credentials after a relevant breach.
04

Local testing still needs secret hygiene

ByteQuant evaluates input in the browser and does not send it to an application server. A real password can still be exposed on shared screens, recordings, clipboard history, or devices with untrusted extensions. Test a structurally similar sample and let a password manager generate the real secret.

Plain SHA-256 is fast and unsuitable for password storage by itself. Password storage must deliberately slow guesses with an adjustable password-hashing function.

RELATED TOOLS

Put this guide into practice

29Password Strength TesterAssess a password using length, variety, estimated entropy, and crack time.16Strong Password GeneratorGenerate a random 12–128 character password with Web Crypto.18SHA-256 Digest GeneratorCalculate a SHA-256 integrity digest with Web Crypto.
Editorial note

Visual suggestion: A balance diagram connecting length, character space, attack speed, and uniqueness. This article is general information, not legal or security advice.

Turn guidance into action

Start working on-device with 29 tools

Explore tools