How to Generate a Strong Password (And Why It Actually Matters)

Why "Password123!" Is Catastrophically Weak

It has uppercase, lowercase, digits, and a symbol. By naive "complexity" rules, it should score well. In practice, it's in every dictionary attack wordlist. Password strength isn't about ticking character type boxes — it's about the mathematical entropy: how many random choices were made to produce it.

A predictable pattern like capitalise-first, replace letters with symbols, append number has near-zero entropy because attackers model human behaviour. They'll crack it before they try genuinely random passwords.

The Math Behind Entropy

Password entropy is calculated as:

Pool size = the number of unique characters available. With all four character types enabled (uppercase + lowercase + digits + symbols = ~92 chars):

ToollyX's Password Generator calculates and displays entropy in real-time with the strength labels: Very Weak (<28 bits), Weak (28–39), Fair (40–55), Strong (56–71), Very Strong (72–95), Maximum (96+).

Why crypto.getRandomValues() Matters

JavaScript's Math.random() is a pseudorandom number generator — fast but predictable. Given the seed, an attacker can reproduce every "random" number it ever generated. ToollyX uses crypto.getRandomValues(), which pulls from the operating system's cryptographically secure entropy pool (hardware events, interrupt timing, etc.). This is the same source used by password managers.

Additionally, the generator uses rejection sampling to eliminate modulo bias: it keeps drawing random values until it gets one in a range that divides evenly by the pool size, so every character has an exactly equal probability.

Every Option in the Password Generator, Explained

Length Slider (1–128)

Default is 20. For most accounts, 20 characters is overkill in the best way — no brute-force attack at realistic speeds will ever reach it. For master passwords in a password manager, use 24–32.

Character Sets

• Uppercase (A–Z): 26 characters. Always enable.
• Lowercase (a–z): 26 characters. Always enable.
• Digits (0–9): 10 characters. Enable unless a site explicitly blocks numbers.
• Symbols (!@#$%^&*…): 28 characters. Enable where allowed. Some banking sites ban symbols — disable here for those.

Exclude Ambiguous Characters

Removes O, 0, I, l, 1, S, 5 — characters that look similar depending on the font. Useful when you ever need to type the password manually. The slight entropy reduction is negligible at 16+ character lengths.

Single vs Batch Mode

Single mode generates one password with a copy button. Batch mode generates up to 50 passwords at once — useful when setting up multiple accounts or provisioning temporary credentials for a team.

URL-Safe Mode

Replaces characters that break URLs (+, /, =) with their URL-safe equivalents. Use this when the password will appear in a query string or be Base64-encoded for an API token.

After You Generate: Storing the Password Safely

A strong random password is useless if it's stored insecurely. Some options:

• Password manager (Bitwarden, 1Password, KeePass) — the right answer for most people. One master password unlocks everything.
• Encrypted notes — Use ToollyX AES Encrypt to encrypt a text file containing passwords before storing it anywhere.
• Check hash integrity — If you're validating a stored password hash, our Hash Generator produces MD5, SHA-1, SHA-256, and SHA-512.

Check an Existing Password's Strength

Not sure if your current password is strong enough? The Password Strength Checker analyses entropy, detects common patterns, and tells you exactly how much time a modern GPU-based attack would need to crack it.