Password strength isn't about looking complicated — it's about being unpredictable. A password's real strength can be measured mathematically, and the results often surprise people: length matters far more than swapping letters for symbols. Here's how strength is calculated and how to make passwords that actually resist attack.
What makes a password strong
Two things: length and character variety. Length is the bigger lever — each extra character multiplies the number of possible passwords. Variety (mixing uppercase, lowercase, numbers, and symbols) enlarges the alphabet each character is drawn from. A long password from a big alphabet has an astronomical number of combinations, which is exactly what defeats a brute-force attack.
Password entropy explained
Entropy measures unpredictability in bits, calculated as bits = log2(charsetSize ^ length), or equivalently length × log2(charsetSize). Each bit of entropy doubles the number of guesses an attacker needs. Lowercase letters alone give a 26-character set (about 4.7 bits per character); adding uppercase, digits, and symbols pushes the set to about 94 characters (around 6.55 bits per character). Below 40 bits is weak, 60–79 is strong, and 80+ bits is effectively uncrackable with today's hardware.
Crack times by length
Assuming a fast offline attack of 10 billion guesses per second and the full ~94-character set, longer is dramatically safer:
| Length | Entropy | Time to crack |
|---|---|---|
| 8 chars | ~52 bits | hours to days |
| 12 chars | ~79 bits | thousands of years |
| 16 chars | ~105 bits | longer than the universe has existed |
Why "P@ssw0rd" is weak
It looks clever, but it's a dictionary word with predictable substitutions (a→@, o→0, s→$). Attackers run dictionaries with exactly these swaps built in, so "P@ssw0rd" falls almost as fast as "password". Complexity that follows a common pattern adds little real entropy. A longer, genuinely random string — or a string of random words — beats a short "complex" one every time.
What modern guidance actually says
Updated NIST guidance (2024) favors length over forced complexity: allow long passwords and passphrases, screen against known-breached passwords, and stop forcing periodic resets. Change a password when there's evidence of compromise — not on a fixed schedule, which only nudges people toward predictable variations like Password1, Password2.
- Use at least 16 characters, or a passphrase of 4–5 random words.
- Make every account's password unique so one breach can't unlock others.
- Don't rely on predictable substitutions or keyboard patterns.
- Enable two-factor authentication wherever it's offered.
How to create and remember strong passwords
You don't have to remember them. Generate a long random password for each account and store them in a reputable password manager — you then only memorize one strong master password. For the rare password you must type often, a passphrase of unrelated words (like a four-word combination) is both strong and memorable.
How attackers actually guess passwords
Crack-time estimates assume brute force — trying every combination — but that's the attacker's last resort. In practice they start with far faster methods, which is why "complex-looking" passwords still fall:
- Dictionary attacks: run through word lists, common passwords, and predictable substitutions (a→@, o→0) first. "P@ssw0rd" is in every one.
- Credential stuffing: reuse passwords leaked from other breaches. If you reused a password, attackers don't need to guess it at all.
- Targeted guessing: names, birthdays, pets, and sports teams pulled from your social media.
- Brute force: only after the cheap methods fail — and only feasible against short or low-entropy passwords.
Length and genuine randomness defeat all four: a long random string isn't in any dictionary, and uniqueness means a leak elsewhere can't unlock this account.
Passphrases: strong and memorable
If you must memorize a password, a passphrase of several random words beats a short complex string. Four or five unrelated words — chosen randomly, not from a favorite quote — can reach 50–70 bits of entropy while staying easy to recall. The well-known "correct horse battery staple" example makes the point: it's longer, stronger, and more memorable than something like "Tr0ub4dor&3". The catch is the words must be genuinely random; a memorable phrase you'd actually think of is also one an attacker's tools will try.
Add two-factor authentication
Even a perfect password can be phished or leaked, so add a second factor wherever it's offered. An authenticator app or hardware key means a stolen password alone isn't enough to get in. Two-factor authentication is the single highest-impact upgrade to your account security after using unique passwords — turn it on for email and financial accounts first, since those are the keys to everything else.
What to do after a breach
If a service you use is breached, change that password immediately — and change it anywhere you reused it (a good reason never to reuse). Use a breach-notification service to learn which of your accounts have appeared in known leaks, prioritize email and banking, and enable two-factor while you're at it. This is exactly the scenario modern guidance means by "change when compromised": react to real events, not the calendar.