How Strong Should Your Password Actually Be?
The traditional "use uppercase, numbers, and a symbol" advice is outdated. Here's what actually determines how fast a password can be cracked — and how to build one that lasts.
Why most "strong" passwords are weak
When a site demands a password with uppercase, a number, and a symbol, most people do the minimum: Password1!. This pattern is so predictable that modern cracking tools have entire dictionaries of "complexity-compliant" passwords.
The problem is that humans are terrible at randomness. We capitalize the first letter, add a number at the end, and use ! as the special character. Attackers know this. Password cracking now starts with these patterns, not random guessing.
What actually determines password strength
Password strength comes down to one thing: entropy — the number of possible combinations an attacker must try. Entropy is determined by two factors:
- Character set size — using only lowercase letters gives you 26 possibilities per character. Adding uppercase doubles it to 52. Adding numbers and symbols can push it past 90.
- Password length — this is far more impactful than character variety. Each additional character multiplies the search space by the entire character set size.
| Password | Estimated crack time |
|---|---|
| password | Instant |
| P@ssword1 | Minutes |
| Tr0ub4dor&3 | Days |
| correct-horse-battery-staple | Centuries |
| x7#Kp!mQ2nLv@9wR | Millions of years |
How passwords get cracked
Dictionary attacks
Attackers use lists of millions of known passwords, words, and common substitutions. If your password is in any data breach (or is a word in any language), it'll be cracked in seconds. Tools like hashcat can test billions of candidates per second on a consumer GPU.
Credential stuffing
After data breaches, attackers buy lists of email/password pairs and try them across every service. If you reuse passwords, one breached site compromises all of them. This is the most common account takeover method today.
Brute force
Trying every possible combination. Infeasible for long passwords, but very effective against short ones. An 8-character password using any printable character can be brute-forced in days with modern hardware.
The passphrase approach
A passphrase is a sequence of several random words: correct-horse-battery-staple. This approach, popularized by the XKCD comic and now recommended by NIST, works because:
- Length beats complexity — 4 random words (~25 characters) is vastly stronger than
P@ssw0rd! - Memorable — you can actually remember it without writing it down
- Typeable — no hunting for special characters on mobile keyboards
The key word is random. "My dog's name is Buddy" is not a strong passphrase. Four words generated by a dice roll or password manager are.
Practical recommendations (NIST 2026)
- Minimum 15 characters for important accounts, longer is always better
- Use a password manager (Bitwarden, 1Password, KeePass) — let it generate and store truly random passwords so you only need to remember one master password
- Never reuse passwords — unique password per site eliminates credential stuffing risk
- Enable 2FA — even a weak password with TOTP 2FA is far more secure than a strong password alone
- Check for breaches — use Have I Been Pwned to see if your email appears in known data breaches
Test your password strength
Real-time entropy analysis and crack-time estimates — 100% client-side, your password never leaves your browser.
Open Password Checker