Every data breach starts with a weak password. Yet most developers still use predictable patterns — company name + year, keyboard walks like qwerty123, or the same password across services.
Here is what actually makes a password strong, and how to generate ones that would take centuries to crack.
What Makes a Password Strong?
Password strength comes down to entropy — the number of possible combinations an attacker must try.
| Password | Entropy | Crack Time (10B guesses/sec) |
|---|---|---|
password123 |
20 bits | Instant |
Tr0ub4dor&3 |
28 bits | 3 seconds |
correct horse battery staple |
44 bits | 550 years |
kX9#mP2$vL7@nQ4& |
72 bits | 150 billion years |
The math is simple: length beats complexity. A 16-character random password is exponentially stronger than an 8-character complex one.
Rules for Developer Passwords
1. Use 16+ characters minimum
Every character doubles the search space. 16 random characters = 10^28 combinations.
2. Use a password manager
You should only memorize ONE password — your master password. Everything else should be randomly generated and stored in a manager (Bitwarden, 1Password, KeePass).
3. Use passphrases for memorable passwords
Need to actually remember it? Use 4-6 random words:
helmet-pizza-volcano-sixteen-marble
This is ~65 bits of entropy and easy to type.
4. Never reuse passwords
Credential stuffing attacks test leaked passwords against other services. One breach exposes everything if you reuse.
5. Enable 2FA everywhere
Even a perfect password can be phished. TOTP (Google Authenticator) or hardware keys (YubiKey) add a second layer.
How to Generate Strong Passwords
Command line:
# Random 20-char password
openssl rand -base64 20
# Random passphrase (4 words)
shuf -n4 /usr/share/dict/words | tr "\n" "-"
JavaScript:
function generatePassword(length = 16) {
const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
const array = new Uint8Array(length);
crypto.getRandomValues(array);
return Array.from(array, b => chars[b % chars.length]).join("");
}
Online tool:
I built a free password generator that creates cryptographically secure passwords using crypto.getRandomValues(). It runs 100% in your browser — nothing is sent to a server. Features include:
- Length slider (8-128 chars)
- Passphrase mode (random words)
- Strength meter with crack time estimate
- Bulk generation
Common Password Mistakes Developers Make
- Hardcoding credentials in code — use environment variables
- Storing passwords in plain text — always hash with bcrypt/argon2
- Using MD5/SHA1 for password hashing — these are fast hashes, not password hashes
- Same password for dev and prod — treat them as separate environments
- Sharing credentials in Slack/email — use a secrets manager
Quick Security Checklist
[ ] All passwords 16+ characters
[ ] Using a password manager
[ ] 2FA enabled on GitHub, AWS, Google, etc.
[ ] No hardcoded secrets in repos
[ ] Different passwords for every service
[ ] Passwords hashed with bcrypt/argon2 in your apps
What is your password strategy? Do you use a manager or still rely on memory? Let me know in the comments.
Top comments (0)