What Makes a Password Strong? The Complete Guide

Introduction

We create passwords for everything: email accounts, banking apps, social media, work systems, streaming services. Yet most people still rely on passwords like Password123\! or their pet's name followed by a birth year — passwords that modern cracking tools can break in seconds. Understanding what actually makes a password strong is the first step toward genuine security.

This guide explains the science behind password strength, why certain strategies work and others fail, and how to protect your accounts in an era where data breaches expose hundreds of millions of credentials every year.

The Four Pillars of a Strong Password

1. Length

Length is the single most important factor in password strength. Every additional character multiplies the number of possible combinations an attacker must try. A 12-character password drawn from a 94-character set (uppercase, lowercase, digits, symbols) has more than 47 septillion possible values. A 16-character password from the same set has over 30 septillion times more combinations than that.

For practical guidance: use at least 12 characters for standard accounts and 16 or more for anything sensitive — banking, email, or systems containing personal data.

2. Entropy

Entropy is the mathematical measure of unpredictability in a password. It is calculated as:

Entropy (bits) = log2(charset_size ^ password_length)
               = password_length × log2(charset_size)

A higher entropy means more guesses are required to crack the password through brute force. Security researchers generally consider 60 bits of entropy sufficient for most accounts, and 80+ bits for high-value targets. Here is what that looks like in practice:

3. Character Variety

Using a wider character set forces attackers to test more combinations per position. Mixing uppercase letters, lowercase letters, digits, and symbols expands the charset from 26 to 94 characters — giving each character position roughly 1.86 more bits of entropy. This is valuable, but it is secondary to length. A 20-character lowercase password has more entropy than an 8-character mixed-charset password.

4. Randomness

A password that looks complex is not the same as one that is truly random. P@ssw0rd\! contains uppercase, lowercase, digits, and a symbol — yet it appears on every major cracking wordlist because humans choose predictable substitutions. True randomness means no part of the password can be predicted from the rest, from a dictionary, or from knowledge about you. This is why computer-generated passwords are vastly more secure than human-created ones.

Common Weak Password Patterns to Avoid

Modern password cracking tools do not simply try every combination from scratch. They use layered strategies that exploit predictable human behavior:

• Dictionary words: Any word found in a dictionary, in any language, is trivially crackable. sunshine, dragon, and letmein are cracked in milliseconds.
• Leet-speak substitutions: Replacing letters with numbers (p@ssw0rd, h3llo) is among the first transformations cracking tools apply to dictionary words.
• Predictable suffixes: Adding 123, \!, or the current year to a word doesn't help. These patterns are baked into every serious wordlist.
• Personal information: Names, birthdays, pet names, and favorite sports teams are trivially guessable by anyone who knows you — and easily found in social media profiles.
• Keyboard patterns: qwerty, 123456, zxcvbn, and related patterns are the first things tested in any attack.
• Reused passwords: Even a strong password becomes a weak one if it appears in a breach database. Attackers use credential stuffing — taking leaked username/password pairs and trying them across hundreds of sites automatically.

How Modern Password Cracking Works

Understanding your adversary helps you appreciate why strong passwords matter. Modern cracking tools like Hashcat can test billions of password guesses per second on commodity hardware when given a leaked password hash.

The attack approaches, roughly in order of speed:

1. Credential database lookup: If your password was in a previous breach and the hash is already known, this takes milliseconds regardless of the password's complexity.
2. Dictionary attacks: Testing every word and phrase in massive wordlists, including RockYou (14 million passwords), Have I Been Pwned (10 billion+ records), and others.
3. Rule-based attacks: Applying systematic transformations to wordlists — capitalizing first letters, appending numbers, substituting characters.
4. Mask attacks: Brute-forcing within known patterns, such as "8 characters, uppercase first, 2 digits at the end."
5. Full brute force: Trying every possible combination. This is slow but exhaustive — and the reason entropy matters so much.

A well-chosen random 16-character password with a full charset would take longer than the age of the universe to crack via brute force, even on the fastest hardware available today.

Recommendations by Account Type

Not every account carries the same risk. Here is a practical tiered approach:

Regardless of tier, every account should have a unique password. Reuse is what turns a single breach into a cascade of compromised accounts.

The Passphrase Alternative

A passphrase — a sequence of four or more random words — can achieve high entropy while being easier to remember. correct-horse-battery-staple (from XKCD's famous comic) has roughly 44 bits of entropy from a list of 2,048 words. Add two more words and you exceed 66 bits. The key word here is random: the words must be chosen by a random process, not constructed from a favorite quote or song lyric, which would be dictionary-attackable.

For accounts where you need to type the password manually (like a device login), passphrases are an excellent choice. For everything else, a randomly generated password stored in a password manager is simpler and at least as secure.

Related Articles

• How Password Generators Work: Randomness, Entropy & Security
• Password Security Best Practices for 2025