SECURITY GUIDE

What Makes a Password Strong?

The complete guide to password entropy, length, character sets, and how to protect your accounts from modern attacks.

Password Strength by Length & Character Set

Length Character Set Possible Combos Entropy Strength
8Lowercase only200 billion37 bitsWeak
8Upper + Lower53 trillion45 bitsWeak
8All types (94 chars)6.1 quadrillion52 bitsMedium
12All types475 quintillion78 bitsMedium
16All types36 sextillion105 bitsStrong
20All types2.8 septillion131 bitsVery Strong
24All types220 octillion157 bitsUnbreakable

The Four Rules of Strong Passwords

1. Length is the most important factor

Every additional character multiplies the number of possible passwords by the size of the character set. A 20-character lowercase password has 26^20 = 19.9 septillion combinations — orders of magnitude more than an 8-character complex password (94^8 = 6.1 quadrillion).

2. Mix all four character types

Using uppercase (A-Z), lowercase (a-z), numbers (0-9), and symbols (!@#$%) maximizes the character set size. The number of possible passwords = (charset size)^(length). Larger charset size = exponentially stronger passwords for the same length.

3. Never reuse passwords

The most common way accounts get compromised is credential stuffing — attackers use leaked passwords from one site to try logging in to other sites. A unique password for every account means one breach does not cascade. Use a password manager.

4. Avoid predictable patterns

Attackers use rule-based cracking: dictionary words with number suffixes (password123), keyboard walks (qwerty), common substitutions (p@ssw0rd), and popular base words. None of these patterns survive targeted attacks even at 12+ characters.

✓ DO

  • Use 16+ characters
  • Use all character types
  • Use a unique password per site
  • Store in a password manager
  • Enable 2FA on all accounts
  • Generate randomly (not manually)

✗ DON'T

  • Use dictionary words
  • Use names, birthdays, or dates
  • Reuse passwords across sites
  • Use keyboard patterns (qwerty)
  • Use l33tspeak substitutions
  • Store in a text file or browser only

Common Questions

How long should my passwords be?

At minimum 16 characters for general accounts. For high-value accounts (email, banking, password manager master password), use 20+ characters. If a site limits password length below 16, note it as a security red flag.

Is a passphrase better than a random password?

Passphrases (4+ random dictionary words) are both strong and memorable: "correct-horse-battery-staple" has ~44 bits of entropy per word. For accounts requiring memorization, a 5+ word passphrase is excellent. For everything else, a random 20-character password stored in a password manager is stronger.

How often should I change my passwords?

Modern security guidance (NIST SP 800-63B) no longer recommends mandatory periodic password changes unless there is evidence of compromise. Changing passwords frequently encourages weak, predictable patterns. Instead: use strong unique passwords and change immediately if a breach is suspected.

Can attackers crack a 16-character password?

A 16-character random password with all character types has ~105 bits of entropy. At 100 trillion guesses per second (current GPU clusters), cracking it would take longer than the age of the universe. In practice, attackers rely on stolen hashes, phishing, or reuse — not brute force of truly random passwords.

Generate a Strong Password Now

Use our free password generator to create a cryptographically secure password in one click.

Open Password Generator →