Despite decades of security awareness campaigns, weak and reused passwords remain the number-one vector for account compromise. Verizon's annual Data Breach Investigations Report consistently finds that over 80% of hacking-related breaches involve stolen or weak credentials. The problem is not that users do not care about security — it is that human brains are fundamentally bad at generating and remembering random strings. Understanding how password security actually works, from generation through storage, is essential for developers building authentication systems and individuals protecting their own accounts.
What Makes a Password Strong?
Password strength is a function of two factors: the size of the character set and the length of the password. Together, these determine the total number of possible combinations an attacker must try in a brute-force attack. A password using only lowercase letters (26 characters) has 26^n possible combinations for length n. Adding uppercase letters doubles the set to 52. Adding digits brings it to 62. Adding symbols (roughly 32 printable ASCII symbols) brings it to 94.
The impact of length far exceeds the impact of character set diversity. A 12-character lowercase-only password (26^12 = 9.5 x 10^16 combinations) is stronger than an 8-character password using all character types (94^8 = 6.1 x 10^15 combinations). This is why modern security guidance from NIST (SP 800-63B) emphasizes length over complexity — a 16-character passphrase of random words is both stronger and more memorable than an 8-character string of random symbols.
How Password Generators Work
A proper password generator uses a cryptographically secure pseudo-random number generator (CSPRNG) to select characters. In browsers, this is the Web Cryptography API (window.crypto.getRandomValues), which draws entropy from the operating system's random number pool — a source seeded by hardware events like mouse movements, disk timings, and thermal noise.
The critical distinction is between Math.random() — which uses a deterministic algorithm that can be predicted if the seed is known — and crypto.getRandomValues(), which is cryptographically unpredictable. A password generator that uses Math.random() produces passwords that look random but are technically predictable by a sophisticated attacker who can determine the PRNG state. Always verify that a password generator uses the Web Crypto API or an equivalent system CSPRNG.
// Cryptographically secure password generation
function generatePassword(length, charset) {
const array = new Uint32Array(length);
crypto.getRandomValues(array); // CSPRNG
return Array.from(array, (n) => charset[n % charset.length]).join('');
}
// Usage
const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*';
const password = generatePassword(20, charset);
// INSECURE — do not use Math.random() for passwords
// Math.random() is deterministic and predictableThe Passphrase Alternative
Random passphrases — sequences of 4-6 randomly selected dictionary words — offer a compelling alternative to traditional character-soup passwords. A 5-word passphrase drawn from a 7,776-word list (the EFF wordlist) has 7776^5 = 2.8 x 10^19 possible combinations, equivalent to a 13-character random password using all character types. But 'correct horse battery staple' is dramatically easier to type and remember than 'j7$Kp!2xQm@n'.
The critical requirement is that the words must be selected randomly — not chosen by a human. Humans are terrible at being random: they gravitate toward common words, related concepts, and predictable patterns. A passphrase generator that uses a CSPRNG to index into a wordlist produces genuinely unpredictable passphrases that resist dictionary attacks.
How Attackers Crack Passwords
Understanding attack methods explains why certain passwords fail despite appearing complex:
- Brute force: Trying every possible combination sequentially. Modern GPUs can compute 10+ billion hashes per second for fast algorithms like MD5 or SHA-256. This is why length matters — each additional character multiplies the search space.
- Dictionary attacks: Trying words from dictionaries, common passwords, and leaked password databases. 'P@ssw0rd!' looks complex but is trivially cracked because the substitution patterns (a→@, o→0, add !) are well-known.
- Credential stuffing: Using username/password pairs leaked from breached sites to log into other services. This is why password reuse is dangerous — a breach at one site compromises every account sharing that password.
- Rainbow tables: Precomputed tables mapping hashes back to plaintexts. Defeated by salting (prepending a random value to each password before hashing), which is why all modern password hashing algorithms include salts.
Password Storage for Developers
If you build applications with user authentication, how you store passwords is a critical security decision. The golden rule: never store passwords in plaintext, and never hash them with a general-purpose hash function like SHA-256 or MD5. General-purpose hashes are designed to be fast — which is exactly what you do not want for passwords, because speed helps attackers.
Purpose-built password hashing algorithms are deliberately slow, with a tunable work factor that increases computation time as hardware gets faster:
- bcrypt (1999): The industry standard. Uses a cost factor (10-12 typical) where each increment doubles the computation time. A cost factor of 12 takes approximately 250ms per hash — fast enough for login, but crippling for brute-force attacks.
- Argon2 (2015): Winner of the Password Hashing Competition. Configurable for both time and memory usage, making it resistant to GPU and ASIC acceleration. Argon2id is the recommended variant for password hashing.
- scrypt (2009): Memory-hard algorithm designed to require significant RAM, making parallel GPU attacks expensive. Used by many cryptocurrency wallets.
- PBKDF2: NIST-approved, required by some compliance frameworks (FIPS 140-2). Uses iterated HMAC-SHA256 with configurable iteration count. The weakest of the four options but still far superior to raw SHA-256.
Always salt passwords with a unique, random value per user before hashing. The salt prevents identical passwords from producing identical hashes, defeating rainbow table attacks. All modern password hashing libraries (bcrypt, Argon2) handle salting automatically.
Password Managers: The Only Viable Solution
The average person has 80-100 online accounts. Using a unique, strong, random password for each is humanly impossible without a password manager. Password managers generate, store, and auto-fill unique credentials for every site, protected by a single master password (which should be a strong passphrase).
The security model is sound: your password vault is encrypted locally with your master password using AES-256 before being synced to the cloud. The provider never sees your plaintext passwords. Even if the provider is breached (as happened to LastPass in 2022), the attacker gets only encrypted vaults that require the master password to decrypt — which is why the master password must be genuinely strong.
Key Takeaways
- Length beats complexity — a 16-character passphrase is stronger than an 8-character symbol soup
- Use a CSPRNG-based password generator, never human-chosen passwords for important accounts
- Never reuse passwords across sites — credential stuffing attacks exploit this immediately
- Use a password manager to handle the impossible task of remembering 100+ unique passwords
- Developers: hash passwords with bcrypt or Argon2, never with SHA-256 or MD5
- Enable two-factor authentication (TOTP or hardware keys) wherever available — it provides a second layer even if your password is compromised