Irreva logo
Explore Irreva
AboutPrivacyTermsContact
DeveloperJanuary 21, 2026· 6 min read· Updated June 10, 2026

How to Generate a Strong Password Online

Hasanur Rahman

Written by Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

Weak passwords are still one of the leading causes of account compromises. Using 'password123' or a variation of your name and birth year leaves accounts exposed to dictionary attacks in seconds. A strong password is long, random, and unique to each account. Generating and managing strong passwords doesn't have to be complicated — here's what you need to know.

What makes a password strong

Password strength comes down to two things: length and unpredictability. Length matters because each additional character multiplies the number of possible combinations an attacker must try. An 8-character password using only lowercase letters has about 200 billion combinations. A 16-character password using letters, numbers, and symbols has more combinations than there are atoms in the observable universe.

Unpredictability means avoiding patterns. Human-chosen passwords tend to follow predictable patterns: substituting @ for a, ! for i, capitalizing the first letter. Modern password-cracking tools account for all of these patterns. A truly random password avoids them by construction.

Uniqueness across accounts matters too. Reusing passwords means that one breach exposes all your accounts. A password manager combined with a generator makes it practical to use a unique random password everywhere.

  • Use at least 16 characters for general accounts
  • Use 20+ characters for email, banking, and password manager master password
  • Include uppercase, lowercase, numbers, and symbols
  • Never reuse passwords across accounts
  • Never use personal information (name, birthdate, pet name)

How password generators work

A password generator uses a cryptographically secure random number generator (CSPRNG) to select characters from a chosen character set. The key word is cryptographically secure — standard random functions in many programming languages are not suitable for security purposes because they're predictable if you know the seed.

In browsers, the secure random source is window.crypto.getRandomValues(). This uses the operating system's entropy source, which collects randomness from hardware events, timing jitter, and other unpredictable sources. The Irreva Password Generator uses this API, which means the passwords it produces are genuinely unpredictable.

The generator never sends your generated password anywhere. Generation happens entirely in JavaScript in your browser tab.

Passphrases as an alternative

A passphrase is a sequence of random words: correct-horse-battery-staple. This approach, popularized by the xkcd comic, produces passwords that are both memorable and mathematically strong. Four common random words have more entropy than a complex 8-character password.

Passphrases are particularly useful for passwords you need to type regularly — like your computer login or password manager master password — because they're easier to type than a string of random characters without being weaker.

The downside is that passphrases are longer to type and some legacy systems have short character limits that force you to use shorter passwords.

Storing and managing generated passwords

The point of a password generator is to create passwords you don't need to remember. That only works if you store them somewhere. A password manager is the right tool — it stores all your passwords encrypted and auto-fills them when you log in.

Popular options include Bitwarden (open source, free tier), 1Password, and Dashlane. Browser built-in password managers (Chrome, Firefox, Safari) also work well for most people. The important thing is to use something rather than writing passwords down or reusing them.

When setting up a new account, generate a random password directly in your password manager's generator so it's saved automatically without you ever seeing it in plaintext.

Try these free tools

Password GeneratorPassword Strength CheckerHash GeneratorUUID Generator

Frequently Asked Questions

How long should a password be?

For most accounts, 16 characters is a good minimum. For high-value accounts like email, banking, or your password manager, use 20 or more characters. Longer is always more secure, and since a password manager types it for you, length has no usability cost.

Are special characters required for a strong password?

They help increase the character set size, which improves strength at shorter lengths. A 16-character all-lowercase random password is still very strong. Special characters matter more for short passwords. If a site limits you to 8 characters, include special characters. If you can use 20+, even all-letters is fine.

Is it safe to generate passwords in a browser?

Yes, with a tool that uses window.crypto.getRandomValues() and runs entirely client-side. This is the same secure randomness source used by your browser for HTTPS. The Irreva Password Generator runs locally with no network calls.

Should I use a passphrase or a random character password?

For passwords you need to type (computer login, password manager master password), a passphrase of 4-5 random words is easier to use and equally strong. For everything else that a password manager fills in, random character passwords are fine.

What's the difference between password strength and password security?

Strength refers to how hard a password is to guess through brute force. Security encompasses more: whether the password is unique, whether it was generated randomly, how it's stored, and whether the site storing it hashes it properly. A strong password stored in plaintext is still insecure.

Related articles

How to Check Password Strength OnlineRead →What Is a Hash Function — SHA256 and MD5 ExplainedRead →
Hasanur Rahman

About the author

Hasanur Rahman

Founder & Full-Stack Developer · Irreva · Rangpur, Bangladesh

Hasanur Rahman is the founder of Irreva and a full-stack developer based in Rangpur, Bangladesh. He builds all of Irreva's tools with a focus on privacy-first, browser-based processing.

← Back to all articles