What Makes a Strong Password? The Complete Guide to Password Security
Your password is often the only thing between your private data and an attacker. Strong, unique passwords, a password manager, and 2FA dramatically reduce the risk of account takeover.
Table of Contents
Why Passwords Matter
Passwords remain a primary authentication method for email, banking, social media, cloud storage, developer tools, and many business systems.
A compromised password can lead to identity theft, financial loss, privacy violations, account lockout, or business data exposure.
The biggest risk is reuse. If one site is breached and you use the same password elsewhere, attackers can try those credentials across many services.
What Makes a Password Strong?
A strong password has four practical properties:
| Property | Why It Matters | Example |
|---|---|---|
| Length | More characters create exponentially more possible guesses | 16+ characters is a good target |
| Variety | Uppercase, lowercase, numbers, and symbols increase the search space | Kx9#mP2$vR7@nQ4 |
| Randomness | No dictionary words, patterns, names, or personal details | Generated is better than invented |
| Uniqueness | A different password for every account prevents cascade breaches | Never reuse passwords |
The most important rule
Never reuse passwords. Credential stuffing works because attackers take leaked email and password pairs from one breach and try them on other services.
Password Entropy
Entropy measures password unpredictability in bits. More entropy means more work for an attacker.
Entropy = L x log2(R)
Where:
L = password length
R = size of the character pool
Examples:
8 chars, lowercase only (26): 8 x log2(26) ~= 38 bits
8 chars, mixed + numbers (62): 8 x log2(62) ~= 48 bits
8 chars, all printable types (95): 8 x log2(95) ~= 53 bits
16 chars, all printable types: 16 x log2(95) ~= 105 bits
20 chars, all printable types: 20 x log2(95) ~= 131 bits| Entropy | Strength | Practical Assessment |
|---|---|---|
| < 28 bits | Very weak | Crackable quickly. Do not use. |
| 28-35 bits | Weak | May fall to common attacks. |
| 36-59 bits | Fair | Only suitable for low-value accounts. |
| 60-127 bits | Strong | Good for most accounts. |
| 128+ bits | Very strong | Not practical to brute-force with known technology. |
Length matters more than most people expect. Doubling length increases strength far more than adding one extra character type to a short password.
How Passwords Get Cracked
Attackers use several strategies, often combining them:
Brute force
Trying every possible combination. This is slow against long random passwords but effective against short ones.
Dictionary attacks
Trying common passwords, leaked passwords, words, names, and patterns from breach datasets.
Rule-based attacks
Applying common human modifications such as capitalization, numbers, years, and symbol substitutions.
Credential stuffing
Trying known leaked credentials on many other websites. This is why password reuse is so dangerous.
Phishing
Tricking users into typing passwords into fake login pages. Even a strong password can be stolen this way.
Approximate brute-force time at 10 billion guesses/second:
6 chars, lowercase: seconds
8 chars, lowercase: minutes
8 chars, mixed case + digits: hours
8 chars, all types: days to weeks
12 chars, all types: thousands of years
16 chars, all types: far beyond practical reach
These estimates assume offline attacks against fast hashes.
Slow password hashing such as bcrypt or Argon2 changes the economics.Common passwords attackers try first:
123456 password qwerty
123456789 12345678 111111
iloveyou admin welcome
monkey dragon master
letmein abc123 footballBase word: "password"
Attackers automatically try variations:
Password
PASSWORD
password1
password123
p@ssword
p@ssw0rd
Password1!
password2026
drowssapLength vs Complexity
For human-created passwords, length usually beats complexity.
A short password like P@ssw0rd! looks complex but is based on a common word and predictable substitutions.
A long random password or random passphrase has far more possible combinations and is much harder to guess.
Use generated passwords for accounts. Use a long passphrase only for passwords you must remember, such as your password manager master password.
Common Password Mistakes
These mistakes make passwords much easier to crack:
| Mistake | Example | Why It Is Weak |
|---|---|---|
| Predictable substitutions | p@$$w0rd | Cracking tools try these automatically |
| Keyboard patterns | qwerty, 1qaz2wsx | These are in attack dictionaries |
| Personal information | alice1990, pet names | Often guessable from public information |
| Appending numbers | password1, secure123 | One of the first rule-based variations |
| Year suffixes | Summer2026! | Season + year + symbol is very common |
| Password reuse | Same password everywhere | One breach can compromise many accounts |
The Passphrase Approach
A passphrase is a password made from multiple random words. It can be long, strong, and easier to remember than random symbols.
The words must be randomly selected. A meaningful sentence such as a favorite quote or personal phrase is much easier to guess than unrelated random words.
A Diceware-style method, where dice select words from a word list, is one way to create passphrases without human bias.
Random password:
Kx9#mP2$vR7@
Passphrase:
mango-telescope-river-blanket
Both can be strong, but the passphrase is easier to remember.
The words must be chosen randomly, not as a meaningful sentence.Password Managers
Most people have dozens of online accounts. Remembering a unique random password for each account is not realistic without a password manager.
A password manager generates random passwords, stores them in an encrypted vault, fills login forms, syncs across devices, and can warn you about reused or breached passwords.
You only need to remember one strong master password or passphrase. The rest can be unique and random.
Is a password manager safe?
A reputable password manager is much safer than reusing passwords or storing them in notes. Use a strong master password, enable 2FA, and keep recovery options secure.
Two-Factor Authentication
Two-factor authentication adds a second proof beyond your password. If an attacker steals your password, 2FA can still block the login.
| 2FA Method | Security Level | Notes |
|---|---|---|
| Hardware security key (FIDO2/WebAuthn) | Highest | Phishing-resistant physical key |
| Authenticator app (TOTP) | High | Time-based codes from an app |
| Push notification | High | Convenient, but watch for approval fatigue |
| SMS codes | Moderate | Better than nothing, but vulnerable to SIM swapping |
Enable 2FA on email, banking, cloud storage, social media, and any account that can reset other accounts.
How Passwords Are Stored
Responsible websites do not store your actual password. They store a one-way hash of it.
Your password:
"MySecureP@ss123"
Responsible sites store a password hash, not the password:
bcrypt hash: $2b$12$LJ3m4ks9Hyl3pGSwKhMzpeOJvOS.gRqkL8IKHhC8mRxQfOz7v8MXi
Good password hashing is:
One-way: cannot reverse the hash back to the password
Salted: identical passwords produce different hashes
Slow: each guess costs time and compute
Tunable: work factor can increase as hardware improves| Algorithm | Status | Notes |
|---|---|---|
| Argon2 | Recommended | Memory-hard and designed for password hashing |
| bcrypt | Good | Long-standing industry standard with configurable cost |
| scrypt | Good | Memory-hard and still used in some systems |
| PBKDF2 | Acceptable | Can be safe with strong parameters |
| MD5 / SHA-1 | Broken | Too fast and unsuitable for password storage |
Best Practices Checklist
- Use a password manager to generate and store unique passwords.
- Use long passwords, ideally 16+ characters for generated passwords.
- Never reuse passwords across accounts.
- Enable 2FA, preferably authenticator apps or hardware keys.
- Protect your email account, because it controls password resets.
- Avoid personal information such as names, birthdays, addresses, and pet names.
- Watch for phishing and verify URLs before entering credentials.
- Change passwords when needed, such as after a breach, not just on a calendar schedule.
- Use breach alerts from your password manager or trusted breach-checking services.
Generate Strong Passwords Instantly
Use our free Password Generator to create strong random passwords with customizable length, character types, and options right in your browser.
Try Password GeneratorReferences
- Grassi, P.A., et al. (2017). NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management. https://pages.nist.gov/800-63-3/sp800-63b.html
- Verizon. Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/
- Bonneau, J., et al. (2012). The Quest to Replace Passwords. IEEE Symposium on Security and Privacy. https://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-quest_to_replace_passwords.pdf
- OWASP. Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
- Biryukov, A., Dinu, D., & Khovratovich, D. (2016). Argon2: the memory-hard function for password hashing and other applications. https://www.password-hashing.net/argon2-specs.pdf