Back to Blog
password 2025-03-18

Password Security: How to Generate and Manage Strong Passwords

Learn about password entropy, generation techniques, and best practices for securing user credentials.

Password security remains one of the most critical aspects of application security. Understanding how to generate, store, and manage passwords is essential for every developer.

Password Entropy

Entropy measures the randomness of a password in bits. Higher entropy means a harder-to-crack password.

Formula: Entropy = log2(C^L), where C = character set size, L = password length

Password TypeCharactersLengthEntropy

|--------------|-----------|--------|---------|

Numbers only10826.6 bits Lowercase26837.6 bits Mixed case52845.6 bits Mixed + numbers62847.6 bits All printable951278.8 bits All printable9516105.1 bits

Recommendations:

  • Minimum 80 bits of entropy for important accounts
  • 128+ bits for high-security applications

Password Generation Techniques

Cryptographically Secure Random Generation

function generatePassword(length, options) {


  const chars = {


    uppercase: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',


    lowercase: 'abcdefghijklmnopqrstuvwxyz',


    numbers: '0123456789',


    symbols: '!@#$%^&*()_+-=[]{}|;:,.<>?'


  };
  let charset = '';


  if (options.uppercase) charset += chars.uppercase;


  if (options.lowercase) charset += chars.lowercase;


  if (options.numbers) charset += chars.numbers;


  if (options.symbols) charset += chars.symbols;
  const array = new Uint32Array(length);


  crypto.getRandomValues(array);
  return Array.from(array, (x) => charset[x % charset.length]).join('');


}

Passphrase Generation

Passphrases use random words instead of random characters:

correct-horse-battery-staple
  • Easier to remember
  • Can have higher entropy than short complex passwords
  • Use a word list of 7,776+ words (Diceware)

Password Storage Best Practices

For Developers

1. Never store plaintext passwords

2. Use bcrypt, Argon2, or scrypt for hashing

3. Always use a unique salt per password

4. Set appropriate work factors:

- bcrypt: cost factor 12+

- Argon2: memory 64MB+, iterations 3+

// Using bcrypt (Node.js)


const bcrypt = require('bcrypt');


const hash = await bcrypt.hash(password, 12);


const match = await bcrypt.compare(password, hash);

For Users

1. Use a password manager

2. Enable two-factor authentication (2FA)

3. Never reuse passwords across sites

4. Use at least 12 characters

5. Avoid personal information in passwords

Common Password Attacks

AttackDescriptionDefense

|--------|-------------|---------|

Brute forceTry all combinationsLong passwords, rate limiting DictionaryTry common wordsAvoid dictionary words Rainbow tablePre-computed hashesSalt your hashes Credential stuffingReused passwordsUnique passwords per site PhishingTrick user into revealing2FA, security training

Generate strong passwords instantly with our Password Generator tool.