/11 min read

What Makes a Strong Password? The Complete Guide to Password Security

Your password is often the only thing between your private data and an attacker. Strong, unique passwords, a password manager, and 2FA dramatically reduce the risk of account takeover.

Why Passwords Matter

Passwords remain a primary authentication method for email, banking, social media, cloud storage, developer tools, and many business systems.

A compromised password can lead to identity theft, financial loss, privacy violations, account lockout, or business data exposure.

The biggest risk is reuse. If one site is breached and you use the same password elsewhere, attackers can try those credentials across many services.

What Makes a Password Strong?

A strong password has four practical properties:

PropertyWhy It MattersExample
LengthMore characters create exponentially more possible guesses16+ characters is a good target
VarietyUppercase, lowercase, numbers, and symbols increase the search spaceKx9#mP2$vR7@nQ4
RandomnessNo dictionary words, patterns, names, or personal detailsGenerated is better than invented
UniquenessA different password for every account prevents cascade breachesNever reuse passwords

The most important rule

Never reuse passwords. Credential stuffing works because attackers take leaked email and password pairs from one breach and try them on other services.

Password Entropy

Entropy measures password unpredictability in bits. More entropy means more work for an attacker.

Entropy = L x log2(R)

Where:
  L = password length
  R = size of the character pool

Examples:
  8 chars, lowercase only (26):      8 x log2(26)  ~= 38 bits
  8 chars, mixed + numbers (62):     8 x log2(62)  ~= 48 bits
  8 chars, all printable types (95): 8 x log2(95)  ~= 53 bits
  16 chars, all printable types:    16 x log2(95)  ~= 105 bits
  20 chars, all printable types:    20 x log2(95)  ~= 131 bits
EntropyStrengthPractical Assessment
< 28 bitsVery weakCrackable quickly. Do not use.
28-35 bitsWeakMay fall to common attacks.
36-59 bitsFairOnly suitable for low-value accounts.
60-127 bitsStrongGood for most accounts.
128+ bitsVery strongNot practical to brute-force with known technology.

Length matters more than most people expect. Doubling length increases strength far more than adding one extra character type to a short password.

How Passwords Get Cracked

Attackers use several strategies, often combining them:

Brute force

Trying every possible combination. This is slow against long random passwords but effective against short ones.

Dictionary attacks

Trying common passwords, leaked passwords, words, names, and patterns from breach datasets.

Rule-based attacks

Applying common human modifications such as capitalization, numbers, years, and symbol substitutions.

Credential stuffing

Trying known leaked credentials on many other websites. This is why password reuse is so dangerous.

Phishing

Tricking users into typing passwords into fake login pages. Even a strong password can be stolen this way.

Approximate brute-force time at 10 billion guesses/second:

  6 chars, lowercase:           seconds
  8 chars, lowercase:           minutes
  8 chars, mixed case + digits: hours
  8 chars, all types:           days to weeks
  12 chars, all types:          thousands of years
  16 chars, all types:          far beyond practical reach

These estimates assume offline attacks against fast hashes.
Slow password hashing such as bcrypt or Argon2 changes the economics.
Common passwords attackers try first:

  123456        password       qwerty
  123456789     12345678       111111
  iloveyou      admin          welcome
  monkey        dragon         master
  letmein       abc123         football
Base word: "password"

Attackers automatically try variations:
  Password
  PASSWORD
  password1
  password123
  p@ssword
  p@ssw0rd
  Password1!
  password2026
  drowssap

Length vs Complexity

For human-created passwords, length usually beats complexity.

A short password like P@ssw0rd! looks complex but is based on a common word and predictable substitutions.

A long random password or random passphrase has far more possible combinations and is much harder to guess.

Use generated passwords for accounts. Use a long passphrase only for passwords you must remember, such as your password manager master password.

Common Password Mistakes

These mistakes make passwords much easier to crack:

MistakeExampleWhy It Is Weak
Predictable substitutionsp@$$w0rdCracking tools try these automatically
Keyboard patternsqwerty, 1qaz2wsxThese are in attack dictionaries
Personal informationalice1990, pet namesOften guessable from public information
Appending numberspassword1, secure123One of the first rule-based variations
Year suffixesSummer2026!Season + year + symbol is very common
Password reuseSame password everywhereOne breach can compromise many accounts

The Passphrase Approach

A passphrase is a password made from multiple random words. It can be long, strong, and easier to remember than random symbols.

The words must be randomly selected. A meaningful sentence such as a favorite quote or personal phrase is much easier to guess than unrelated random words.

A Diceware-style method, where dice select words from a word list, is one way to create passphrases without human bias.

Random password:
  Kx9#mP2$vR7@

Passphrase:
  mango-telescope-river-blanket

Both can be strong, but the passphrase is easier to remember.
The words must be chosen randomly, not as a meaningful sentence.

Password Managers

Most people have dozens of online accounts. Remembering a unique random password for each account is not realistic without a password manager.

A password manager generates random passwords, stores them in an encrypted vault, fills login forms, syncs across devices, and can warn you about reused or breached passwords.

You only need to remember one strong master password or passphrase. The rest can be unique and random.

Is a password manager safe?

A reputable password manager is much safer than reusing passwords or storing them in notes. Use a strong master password, enable 2FA, and keep recovery options secure.

Two-Factor Authentication

Two-factor authentication adds a second proof beyond your password. If an attacker steals your password, 2FA can still block the login.

2FA MethodSecurity LevelNotes
Hardware security key (FIDO2/WebAuthn)HighestPhishing-resistant physical key
Authenticator app (TOTP)HighTime-based codes from an app
Push notificationHighConvenient, but watch for approval fatigue
SMS codesModerateBetter than nothing, but vulnerable to SIM swapping

Enable 2FA on email, banking, cloud storage, social media, and any account that can reset other accounts.

How Passwords Are Stored

Responsible websites do not store your actual password. They store a one-way hash of it.

Your password:
  "MySecureP@ss123"

Responsible sites store a password hash, not the password:
  bcrypt hash: $2b$12$LJ3m4ks9Hyl3pGSwKhMzpeOJvOS.gRqkL8IKHhC8mRxQfOz7v8MXi

Good password hashing is:
  One-way: cannot reverse the hash back to the password
  Salted: identical passwords produce different hashes
  Slow: each guess costs time and compute
  Tunable: work factor can increase as hardware improves
AlgorithmStatusNotes
Argon2RecommendedMemory-hard and designed for password hashing
bcryptGoodLong-standing industry standard with configurable cost
scryptGoodMemory-hard and still used in some systems
PBKDF2AcceptableCan be safe with strong parameters
MD5 / SHA-1BrokenToo fast and unsuitable for password storage

Best Practices Checklist

  • Use a password manager to generate and store unique passwords.
  • Use long passwords, ideally 16+ characters for generated passwords.
  • Never reuse passwords across accounts.
  • Enable 2FA, preferably authenticator apps or hardware keys.
  • Protect your email account, because it controls password resets.
  • Avoid personal information such as names, birthdays, addresses, and pet names.
  • Watch for phishing and verify URLs before entering credentials.
  • Change passwords when needed, such as after a breach, not just on a calendar schedule.
  • Use breach alerts from your password manager or trusted breach-checking services.

Generate Strong Passwords Instantly

Use our free Password Generator to create strong random passwords with customizable length, character types, and options right in your browser.

Try Password Generator

References

  1. Grassi, P.A., et al. (2017). NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management. https://pages.nist.gov/800-63-3/sp800-63b.html
  2. Verizon. Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/
  3. Bonneau, J., et al. (2012). The Quest to Replace Passwords. IEEE Symposium on Security and Privacy. https://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-quest_to_replace_passwords.pdf
  4. OWASP. Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
  5. Biryukov, A., Dinu, D., & Khovratovich, D. (2016). Argon2: the memory-hard function for password hashing and other applications. https://www.password-hashing.net/argon2-specs.pdf
USTHJP