What Makes One Password Stronger Than Another

⏱ 5 min read · PasswordUtils

Password strength meters — those green-to-red progress bars on sign-up forms — often measure the wrong things. A meter that awards points for having a capital letter, a number, and a symbol can give high scores to passwords like "Password1!" that crack in seconds. True password strength comes from entropy — a mathematical concept that measures the actual unpredictability of a password given how it was created.

Character Space vs Entropy

Character space is how many possible characters could appear in each position. A lowercase letter has a character space of 26. Adding uppercase doubles it to 52. Adding digits makes it 62. Adding symbols expands it further to perhaps 94 common printable ASCII characters. Each additional character type increases the theoretical strength of a fully random password using those characters.

The key word is "random." Character space only translates to actual entropy when the characters are chosen randomly and independently. A password that uses a capital letter at the start, lowercase in the middle, and numbers or symbols at the end — following a predictable structure — has far lower effective entropy than a truly random character sequence of the same length.

Password strength isn't about the rules you followed — it's about how much an attacker would need to search to find it. A system that knows your rules dramatically narrows the search space. True randomness eliminates that shortcut.

The Length Factor

Length is the multiplier. Each additional truly random character multiplies the search space by the size of the character set. Going from 8 to 12 characters with a 94-character set multiplies the search space by 94^4 — approximately 78 million. This is why "use a long random string" beats "use a complex 8-character password" for resisting brute force.

What Password Generators Do Correctly

A good password generator uses a cryptographically secure random number generator (CSPRNG) — a mathematical random source that's designed specifically to be unpredictable to attackers even with knowledge of previous outputs. Browser-based generators that use the Web Crypto API's crypto.getRandomValues() satisfy this requirement.