BYTETOOLS

Password Generator Tips, Settings and Mistakes

The best password settings are 16 or more characters with all four character sets enabled, a unique password per site, and storage in a password manager β€” the common mistakes are going too short, reusing passwords, and adding predictable words to a random string. Generating a password is one click; using generators well is about the settings you choose and the habits around them. Here is the expert guide.

Dial in length and character sets

Length is the single biggest lever on password strength, because entropy grows with every character you add. A practical baseline is 16 characters mixing lowercase, uppercase, digits, and symbols, which lands around 100 bits of entropy β€” effectively uncrackable by brute force today. For ordinary logins, 12-16 is fine; for master passwords, encryption keys, and anything guarding a password vault, push to 20 or more. Turning on more character sets widens the pool per character, so keep all four enabled unless a site rejects symbols.

Read the entropy meter instead of guessing

The strength meter shows entropy in bits, and each additional bit doubles the number of guesses an attacker needs. It is calculated as length times log2 of the pool size, so a 16-character password from a 94-character pool is about 105 bits. Use the meter to make trade-offs deliberately: if you exclude symbols for a site that bans them, watch the bits drop and add length to compensate. Aim comfortably above 80 bits for important accounts.

Use caseSuggested lengthCharacter sets
Everyday website login12-16All four
Work or financial account16-20All four
Master or vault password20+All four
Read aloud or typed from paper18-20All, exclude ambiguous

Common mistakes to avoid

Most password failures are behavioral, not mathematical. Watch for these:

  • Reusing passwords across sites β€” one breach then unlocks many accounts through credential stuffing. Generate a unique one every time.
  • Going too short to make typing easier β€” length matters far more than complexity tricks.
  • Adding a memorable word to a random string, which reintroduces predictability and shrinks real entropy.
  • Trusting server-side generators you cannot audit β€” prefer a tool that runs in your browser so the password is never transmitted.
  • Not storing it safely β€” a strong password you cannot recall gets reset to something weak.

Use the ambiguous-character option wisely

If a password must be read over the phone, dictated, or typed on a TV or console keyboard, enable the option to exclude ambiguous characters like 0/O and 1/l/I, which look identical in many fonts. This slightly reduces entropy, so add a character or two of length to stay in a strong range. For passwords that only ever live in a manager and get auto-filled, leave ambiguous characters in for maximum strength.

Try the Password Generator β€” free and 100% in your browser.

FAQ

How many bits of entropy is strong enough?

For everyday accounts, aim above 80 bits; for high-value accounts and master passwords, 100 or more gives a large safety margin. A 16-character password using all four character sets already reaches roughly 100 bits.

Is a long passphrase better than a random string?

A long random string from a generator maximizes entropy per character and is ideal when stored in a manager. Passphrases are easier to memorize and fine for the few passwords you must recall, provided they are long and genuinely random in word choice.

Does excluding symbols make a password weak?

It reduces the character pool and therefore entropy, but you can compensate by adding length. If a site bans symbols, increase the character count a few positions and check the strength meter stays in a strong range.

Why generate in the browser rather than on a server?

A browser generator using the Web Crypto API creates the password locally and never transmits it, so there is nothing to intercept or log. With a server-side tool you cannot verify what happens to the password after it is created.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS, and custom software with security in mind. If you need a product built to handle credentials and data responsibly, explore what ByteVancer can build with you.