Why Password Security Matters More Than Ever
In 2023 alone, over 8 billion credentials were exposed in data breaches. Attackers can now rent cloud-based GPU clusters capable of testing billions of passwords per second against stolen hash databases. An 8-character password that would have taken years to crack in 2010 can now be broken in hours. The security landscape has changed dramatically, and most people's password habits have not kept up.
The Two Factors That Determine Password Strength
Password strength is measured in entropy bits — a mathematical representation of how many possible passwords exist for a given length and character set. The formula is:
Entropy (bits) = length × log₂(pool size)
Two factors control this:
1. Length (the bigger factor)
Each character you add multiplies the number of possible passwords by the pool size. Going from 10 to 11 characters with a 94-character pool adds 94× more possible passwords. Going from 10 to 12 adds 94² (8,836×) more. Length compounds exponentially.
2. Character variety (the smaller factor)
Using all four character types (uppercase, lowercase, digits, symbols) expands the pool from 26 (lowercase only) to 94 characters. That is significant — but not as significant as adding length. A 20-character lowercase password (26²⁰ combinations) is far stronger than a 10-character all-types password (94¹⁰ combinations).
Password Strength by the Numbers
| Length | Lowercase (26) | All chars (94) | Time to crack (all chars, modern GPU) |
|---|---|---|---|
| 8 | Trivial | 52 bits | Hours to days |
| 10 | Trivial | 65 bits | Weeks |
| 12 | Weak | 78 bits | Centuries (good) |
| 16 | Moderate | 104 bits | Billions of years |
| 20 | Strong | 131 bits | Effectively uncrackable |
The practical threshold for "secure against current and near-future hardware" is 80+ bits of entropy. A 16-character password with all character types provides 104 bits — well above this threshold.
Common Password Mistakes (and Why They Fail)
- "Password1!" — meets complexity requirements but contains a dictionary word followed by a digit and symbol, which is one of the first patterns crackers try.
- Keyboard patterns (qwerty, 123456) — these are in every cracking dictionary and will be found in seconds.
- Personal information (birthdays, names, pet names) — attackers perform targeted attacks using publicly available personal data from social media. Never use information about yourself in a password.
- Reusing passwords across sites — when one site is breached, attackers immediately try the same credentials on hundreds of other services ("credential stuffing"). Even a strong password becomes worthless if reused.
- Predictable substitutions (@ for a, 3 for e, 0 for o) — cracking dictionaries include all common substitutions. "p@ssw0rd" is no more secure than "password" against modern attacks.
Passphrases: A Strong Alternative
A passphrase is a sequence of random words: "correct-horse-battery-staple" (from the famous XKCD comic). A 4-word passphrase from a 7,776-word Diceware list has 7,776⁴ ≈ 3.6 × 10¹⁵ combinations — about 51 bits of entropy. A 6-word passphrase reaches 77 bits. They are strong, memorable, and relatively easy to type.
Passphrases work best for things you must memorise (like your password manager master password). For everything else, a random generated password is more secure and eliminates the memorisation problem entirely.
The Non-Negotiables of Password Security in 2025
- Use a password manager. Bitwarden (free, open-source), 1Password, or your browser's built-in manager. Store a unique random password for every site. This eliminates credential stuffing risk entirely.
- Use 16+ characters. For any account that matters (email, banking, social media), use at least 16 characters with all character types. Your password manager stores it, so you only need to type it once.
- Enable two-factor authentication (2FA) everywhere. Even if your password is leaked, 2FA prevents login without physical access to your phone or authentication app. An authenticator app (Authy, Google Authenticator) is stronger than SMS 2FA.
- Never reuse passwords. One unique password per site, full stop.
- Check if you have been breached. haveibeenpwned.com lets you check your email address against 12 billion+ known breached records.
Generate Strong Passwords Instantly
Our free Password Generator uses the Web Crypto API to generate cryptographically strong random passwords. Choose your length (up to 128 characters), select which character types to include, and generate a secure password in one click. No signup, no data collection, no server transmission — all generation happens in your browser.