How to create a strong password: complete guide
What makes a password strong, why Math.random() is insecure, how to store passwords, and password security best practices in 2026.
What makes a password strong?
A strong password should be:
1. Long - at least 12 characters, ideally 16+
2. Random - no words, dates of birth, names
3. Unique - different for each service
4. Complicated - letters + numbers + special characters
Mathematics of security
Number of possible combinations = alphabet_size^length
| Password | Alphabet | Search time |
|---|---|---|
| --- | --- | --- |
| `1234` | 10 | instantly |
| `password` | 26 | seconds |
| `P@ssw0rd` | 72 | watch |
| `Xk9#mQ2$nLp5` | 95 | 10,000 years |
| 32 random symbols | 95 | eternity |
Why is Math.random() unsafe?
JavaScript Math.random() is a pseudo-random generator. Its sequence is predictable.
// ❌ Unsafe - predictable
Math.random().toString(36).slice(2);
// ✅ Safe - cryptographic randomness
const array = new Uint8Array(32);
crypto.getRandomValues(array); Our password generator uses crypto.getRandomValues() - the only correct approach.
Where to store passwords?
- ✅ Password Manager (Bitwarden, 1Password, KeePass)
- ❌ Text file
- ❌ Notes on your phone
- ❌ Browser without master password
Two-factor authentication (2FA)
Even the most complex password can be leaked. 2FA adds a second layer of protection. Use:
- TOTP applications (Google Authenticator, Authy)
- Hardware keys (YubiKey)
Generate a strong password - cryptographic randomness, without transmitting data to the server.