How to Create a Strong Password: Complete Security Guide

Why Passwords Get Cracked

Every year, billions of passwords are exposed in data breaches. The reason most of them get cracked is not because attackers are geniuses — it is because users choose predictable, short passwords. According to breach analysis reports, the most common password is still 123456, followed closely by password and qwerty.

Attackers use several techniques to crack passwords, and understanding them is the first step to defending against them:

• 1. Brute force — Trying every possible combination. An 8-character password using lowercase letters (26 options per character) has 208 billion combinations. That sounds like a lot, but a modern GPU can test billions of hashes per second. An 8-character lowercase password falls in under a minute. Add uppercase, digits, and symbols (95 characters per position) and an 8-character password still cracks in a few hours.
• 2. Dictionary attacks — Testing common words, names, dates, and known passwords from previous breaches. If your password is a real word or a common phrase, it will be tried early.
• 3. Credential stuffing — Using email/password pairs leaked from one breach to try logging into other services. This works because people reuse passwords across sites.
• 4. Rainbow tables — Precomputed lookup tables that map hashes back to their plaintext passwords. This is why services must salt their hashes.

The math is stark: increase your password from 8 characters to 16 characters and the brute-force time goes from hours to centuries. Length is the single biggest factor in password security.

What Makes a Password Strong

A strong password has three properties: it is long, it is unpredictable, and it is unique to each account. Let us break these down:

• Length (most important) — Every character you add multiplies the number of possible combinations. A 12-character password is not 50% better than an 8-character password — it is millions of times better. Aim for at least 16 characters for critical accounts.
• Unpredictability — The password should not contain dictionary words, names, dates, keyboard patterns (qwerty, 123456), or personal information. True randomness — generated by a cryptographic password generator — is ideal.
• Uniqueness — Never reuse passwords across accounts. If one service gets breached, attackers will try that password on every other service you use. A password manager makes unique passwords practical.
• Character diversity — Using uppercase, lowercase, digits, and symbols increases the character pool. With 95 printable ASCII characters, each position has 95 possibilities instead of 26. But this matters far less than length — a 20-character lowercase password is stronger than an 8-character password with every character type.

Password Length vs Complexity

The strength of a password is measured by its entropy — the number of bits of randomness it contains. The formula is:

// Password entropy calculation
// bits = log2(pool_size ^ length)
// Simplified: bits = length * log2(pool_size)

function calculateEntropy(length, poolSize) {
  return length * Math.log2(poolSize);
}

// Examples:
// 8 chars, lowercase only (26): 8 * 4.7 = 37.6 bits
calculateEntropy(8, 26);   // 37.60 bits — cracked in seconds

// 8 chars, all ASCII (95):     8 * 6.57 = 52.6 bits
calculateEntropy(8, 95);   // 52.56 bits — cracked in hours

// 16 chars, lowercase (26):   16 * 4.7 = 75.2 bits
calculateEntropy(16, 26);  // 75.20 bits — takes centuries

// 16 chars, all ASCII (95):   16 * 6.57 = 105.1 bits
calculateEntropy(16, 95);  // 105.11 bits — effectively uncrackable

// 20 chars, all ASCII (95):   20 * 6.57 = 131.4 bits
calculateEntropy(20, 95);  // 131.39 bits — overkill (but why not)

Notice the pattern: doubling the length has a far greater impact than expanding the character pool. An 8-character password with all 95 ASCII characters (52.6 bits) is weaker than a 16-character lowercase-only password (75.2 bits). This is why modern security guidance prioritizes length over complexity rules.

Here is a practical breakdown of how long brute-force attacks take at 10 billion guesses per second (a realistic rate for offline hash cracking with modern GPUs):

The takeaway: use at least 16 characters. If you use a password generator, set it to 16-20 characters with mixed types and you are effectively protected against brute-force attacks forever.

NIST Password Guidelines (2026)

The National Institute of Standards and Technology (NIST) publishes SP 800-63B, the most influential password guideline in the world. Their latest recommendations have overturned decades of conventional wisdom. Here is what NIST recommends:

• Minimum 8 characters, recommend 15+ — NIST requires a minimum of 8 characters and recommends that systems support passwords up to at least 64 characters. Longer is always better.
• No complexity rules — NIST explicitly advises against requiring uppercase, lowercase, digits, and symbols. These rules lead to predictable patterns like P@ssw0rd! that are easy for computers to guess but hard for humans to remember.
• No forced rotation — Mandatory password changes (every 30, 60, or 90 days) are now discouraged. Research shows forced rotation makes passwords weaker because users pick predictable sequences. Only change passwords when there is evidence of compromise.
• Screen against breached passwords — Systems should check new passwords against lists of known compromised passwords (from databases like Have I Been Pwned) and reject matches. This blocks the most common attack vector.
• No password hints or knowledge-based questions — Security questions like "mother's maiden name" are easily guessable or findable on social media. NIST recommends eliminating them entirely.
• Allow paste in password fields — Blocking paste discourages the use of password managers, which is the opposite of what you want. Systems should always allow pasting passwords.

The shift in thinking is clear: length and uniqueness matter far more than arbitrary complexity rules. A 20-character passphrase with no special characters is vastly more secure than P@$$w0rd1!.

Passphrases vs Random Passwords

There are two main approaches to creating strong passwords, each with distinct trade-offs:

Random Passwords

A random password like x7#Qm9$kL2!bN4@p is generated by selecting characters randomly from the full ASCII set. A 16-character random password provides about 105 bits of entropy — extremely strong. The downside is that it is impossible to memorize, so you need a password manager.

Use our Password Generator to create cryptographically random passwords. The tool uses crypto.getRandomValues(), the same randomness source used by security libraries.

Passphrases (Diceware Method)

A passphrase is a sequence of randomly chosen words, like correct-horse-battery-staple (made famous by XKCD). The Diceware method uses a list of 7,776 words (corresponding to five dice rolls). Each word adds about 12.9 bits of entropy:

• 4 words = ~51 bits (acceptable for low-value accounts)
• 5 words = ~64 bits (good for most accounts)
• 6 words = ~77 bits (strong — comparable to a 12-char random password)
• 7 words = ~90 bits (very strong — exceeds most random passwords)

The advantage of passphrases is memorability. You can actually remember timber-oxygen-glacier-quantum-violet without writing it down. The critical rule: the words must be chosen randomly, not by you. Humans are terrible at being random — phrases like "i love my dog" have almost zero entropy because they are predictable.

Which Should You Use?

For most people, the answer is random passwords stored in a password manager. You only need to memorize one master password (use a 5-6 word passphrase for that). For the few passwords you must type manually — like your computer login or password manager master password — use a passphrase. For everything else, let the manager generate and store 20-character random passwords. You can verify the strength of any password by checking its hash output or generating a unique identifier for each account.

Password Managers and MFA

A strong password alone is not enough. Modern security requires two additional layers: a password manager and multi-factor authentication (MFA).

Why You Need a Password Manager

The average person has over 100 online accounts. Without a password manager, you are either reusing passwords (dangerous) or using weak, memorable passwords (also dangerous). A password manager solves this by:

• - Generating unique, random passwords for every account
• - Storing them in an encrypted vault protected by one master password
• - Auto-filling credentials so you never need to type them
• - Alerting you when a saved password appears in a breach
• - Protecting against phishing — a manager will not auto-fill credentials on a fake domain

Popular, well-audited password managers include 1Password, Bitwarden, and KeePass. Choose one that has been independently security-audited and supports your devices.

Multi-Factor Authentication (MFA)

MFA adds a second factor beyond your password — something you have (a phone, a hardware key) in addition to something you know (your password). Even if an attacker gets your password, they cannot log in without the second factor.

• Hardware security keys (best) — YubiKey, Google Titan. Phishing-proof because they verify the domain.
• Authenticator apps (good) — Google Authenticator, Authy, Microsoft Authenticator. Time-based one-time passwords (TOTP).
• SMS codes (acceptable) — Better than nothing but vulnerable to SIM swapping attacks. Use only if other options are not available.

Enable MFA on every account that supports it, starting with your email (the keys to your kingdom), financial accounts, and your password manager itself. The combination of a strong unique password + MFA makes account compromise extremely unlikely.

Frequently Asked Questions

Related Tools