How attackers crack passwords, what makes a password genuinely strong, why password managers are essential, and the practical steps you can take today to protect every account you own.
How Attackers Actually Crack Passwords
To understand why password advice matters, you first need to understand how attacks work. Attackers do not sit at a keyboard and manually guess your password. They run automated software that can test millions — sometimes billions — of combinations per second against a list of stolen password hashes.
Brute-Force Attacks
A brute-force attack systematically tries every possible combination of characters, starting from the shortest and working up. The speed depends on the available hardware. A modern consumer graphics card can test around 8 billion MD5 password hashes per second. That sounds alarming until you do the maths on a well-constructed password — more on that in the entropy section below.
A 6-character lowercase password has 26⁶ = approximately 309 million combinations. Fast hardware exhausts this in under a second. An 8-character lowercase password (26⁸ ≈ 209 billion) takes minutes. A 12-character password using all character types has more combinations than most hardware can check in a human lifetime.
Key takeaway: Length is the single most powerful defence against brute force. Every extra character multiplies the difficulty exponentially, not linearly.
Dictionary Attacks
Dictionary attacks are far more efficient than brute force for most real-world passwords. Instead of trying every combination, they work through curated wordlists containing millions of common passwords, names, sports teams, song lyrics, movie quotes, and known substitution patterns.
Attackers know that people often replace letters with numbers: "a" becomes "@", "e" becomes "3", "i" becomes "1". They also know people capitalise the first letter and add a number or exclamation mark at the end. All of these patterns are built into modern attack rulesets. "P@ssw0rd!" is no harder to crack than "password" for a well-configured dictionary attack — it's on the list.
Credential Stuffing
Credential stuffing is one of the most widespread attacks today, and it specifically targets password reuse. When a company suffers a data breach, the stolen username and password pairs are compiled into databases and sold on underground markets. Attackers then automatically try those exact credentials across hundreds of other websites.
If you used the same password on a gaming forum that got breached three years ago as you do on your email account today, that email account is at risk — right now. Credential stuffing attacks are fully automated, cheap to run, and devastatingly effective against reused passwords.
Phishing
Phishing bypasses all of this entirely by tricking you into handing over your password voluntarily. A convincing fake login page — identical to your bank, email provider, or workplace system — captures your credentials the moment you type them. No amount of password strength helps against phishing, which is why two-factor authentication (covered below) is the essential companion to a strong password.
What Makes a Password Strong?
A strong password has three qualities: it is long, it uses a diverse character set, and it is unpredictable. These three properties work together.
Length
Length is the dominant factor in password strength. Each additional character multiplies the number of possible combinations by the size of the character set. Going from 8 characters to 16 doesn't double the difficulty — using a 95-character set (all printable ASCII), it raises the combinations from 95⁸ (about 6.6 quadrillion) to 95¹⁶ (about 44 quintillion quadrillion). That is an increase of roughly 6.6 billion times harder.
For most accounts, 12 characters is the minimum worth targeting. For sensitive accounts — email, banking, cloud storage — use 16 or more.
Character Diversity
The "search space" for a brute-force attack is determined by how many possible characters could appear at each position. A password using only lowercase letters gives an attacker a pool of 26 characters per position. Adding uppercase doubles it to 52. Adding digits pushes it to 62. Adding common symbols takes it to around 95 — nearly four times larger than lowercase alone. A larger pool means exponentially more combinations for every additional character of length.
Unpredictability
A password can be long and use multiple character types and still be weak if it follows a predictable pattern. "Hello World!" is 12 characters with mixed types, but it's a known phrase. "Tr0ub4dor&3" follows substitution rules that attackers model explicitly. True unpredictability means no relationship to words, phrases, keyboard patterns, or personal information. This is what a generator produces — and what human intuition consistently fails to achieve.
Understanding Entropy
Security researchers measure password strength using entropy, expressed in bits. Each bit of entropy doubles the number of guesses an attacker must make. A password with 40 bits of entropy requires 2⁴⁰ guesses (about 1 trillion) to guarantee finding it, and half that on average.
Entropy is calculated from the password length and the size of the character pool:
Entropy (bits) = Length × log₂(Pool Size)
Here's what that looks like in practice:
Password type
Length
Pool
Entropy
Crack time*
Lowercase only
8
26
38 bits
Minutes
Mixed case + digits
10
62
60 bits
Days
All character types
12
95
79 bits
Years
All character types
16
95
105 bits
Centuries
All character types
20
95
131 bits
Uncrackable
*Approximate, assuming 10 billion guesses per second (high-end GPU cracking). Online attacks are far slower due to rate limiting.
Try it: Use the PassGens Strength Checker to see the entropy score and estimated crack time for any password you're considering.
How to Create Strong Passwords
Use a Generator
The most reliable way to create a strong password is to not create it yourself. Human beings are bad at randomness — we unconsciously apply patterns, avoid certain character combinations, and gravitate toward familiar structures. A password generator uses cryptographically secure randomness to produce passwords with no patterns whatsoever.
The PassGens generator uses the Web Cryptography API (crypto.getRandomValues), the same entropy source used by operating systems and security software. One click produces a password that is mathematically indistinguishable from pure noise — which is exactly what you want.
Settings to Use
Set length to at least 16 characters for any account that matters
Enable all character types: lowercase, uppercase, digits, symbols
Use "Exclude Similar" only if you need to type the password manually (TV remotes, game consoles)
Use "Exclude Ambiguous" if the site rejects certain symbols
Never reduce length below 12 characters, even for low-stakes accounts
What Not to Do
Don't modify a generated password to make it "easier to remember" — this reintroduces patterns
Don't use a passphrase as a shortcut if it's built from predictable words
Don't use the same password on multiple sites, even if it's a strong one
Don't store passwords in a plain text file, a note on your phone, or a sticky note
Password Managers: The Missing Piece
The single biggest obstacle to good password hygiene is memory. You cannot memorise a unique 20-character random password for 50 different accounts — nobody can. This is why most people reuse passwords. The solution is not to make passwords easier to remember; it's to stop trying to remember them.
A password manager stores all your passwords in an encrypted vault, unlocked by one single master password (or biometrics). You only need to remember one thing — every site gets its own unique, randomly generated credential. Most password managers also:
Auto-fill credentials on websites and apps
Alert you when a stored password appears in a known data breach
Generate strong passwords directly within the browser extension
Sync securely across all your devices
Store secure notes, credit card details, and identity information
Which Password Manager Should I Use?
Bitwarden is the top recommendation for most people. It's free, fully open-source (the code is publicly audited), and syncs across unlimited devices. The premium tier costs a few dollars per year and adds advanced features most people won't need.
1Password is excellent for families and teams. It has a polished interface, strong security track record, and good support. Paid only.
Apple Keychain and Google Password Manager are solid built-in options if you're deeply invested in one ecosystem. They're free, seamlessly integrated, and handle basic needs well — though they're harder to use across mixed platforms.
Dashlane and Keeper are reputable commercial options with additional security monitoring features.
Important: Your master password must be strong and memorable — it's the one you can't generate and store in the manager. Use a long passphrase of four or more random unrelated words, ideally 20+ characters. Write it down and store it somewhere physically secure when you first set up.
Two-Factor Authentication: Your Safety Net
A strong, unique password is excellent defence. A strong, unique password combined with two-factor authentication (2FA) means an attacker who somehow obtains your exact password still cannot access your account.
2FA requires you to prove your identity with something you know (your password) and something you have (typically a time-based code generated on your phone, or a physical hardware key). Because the code changes every 30 seconds and is generated locally on your device, it cannot be stolen from a database breach.
Where to Enable 2FA First
Email accounts — most critical, because email resets every other account's password
Banking and financial accounts
Work or business accounts
Any account with stored payment information
Social media accounts with significant followers or business use
App-Based vs SMS-Based 2FA
Use an authenticator app rather than SMS wherever possible. SMS-based 2FA can be intercepted through SIM-swapping attacks, where an attacker convinces your phone carrier to transfer your number to a SIM they control. App-based codes (generated by apps like Google Authenticator, Authy, or your password manager's built-in TOTP) are immune to this attack because the codes never travel over the phone network.
Hardware security keys (YubiKey, Google Titan) offer the strongest 2FA available and are phishing-resistant by design. Worth considering for your email and most sensitive accounts.
Have You Already Been Breached?
Past data breaches may have already exposed your credentials without your knowledge. Breaches often aren't discovered — or disclosed — for months or years after they occur. By the time you hear about a breach in the news, your data may have been circulating on underground markets for a long time.
Have I Been Pwned (haveibeenpwned.com), run by respected security researcher Troy Hunt, aggregates public breach data and lets you check whether your email address appears in any known breach. It is free, widely trusted, and takes seconds to check.
If your email appears in a breach:
Change the password for that specific site immediately
Change the same password on any other site where you reused it
Check whether the breach included other sensitive data (payment cards, addresses)
Enable 2FA on the affected account if not already active
If you find yourself updating passwords across many sites after a single check, that is a strong signal it's time to move to a password manager and unique passwords everywhere. Doing it once properly eliminates the cascading risk permanently.
Passwords by Account Type
Not all accounts carry the same risk. A data breach of your streaming service subscription is inconvenient. A breach of your primary email is catastrophic — it resets every other password you own. Allocate your security effort accordingly.
Critical Accounts (highest priority)
Email, banking, investment accounts, cloud storage (iCloud, Google Drive, Dropbox), password manager master password, work systems, domain registrar. Use 20+ character randomly generated passwords, unique per account, with 2FA enabled using an authenticator app or hardware key.
Important Accounts
Social media, shopping accounts with saved payment methods, health accounts, government services. Use 16+ character generated passwords, unique per account, with 2FA where available.
Low-Stakes Accounts
Content sites, forums, one-off signups, free trials. A unique 12-character generated password is sufficient. Still unique — credential stuffing is automated and costs attackers almost nothing, so a reused password here puts your important accounts at risk.
Never reuse your email password anywhere else. Your email account controls password resets for virtually everything. If it's compromised, every other account can be taken over in minutes regardless of how strong those passwords are.
The Future: Passkeys
Passwords have a successor. Passkeys are a new authentication standard backed by Apple, Google, Microsoft, and the FIDO Alliance that replaces passwords entirely with cryptographic key pairs. When you create an account with passkey support, your device generates a key pair: the private key stays on your device, and the public key goes to the website. Logging in proves you have the private key using biometrics (Face ID, fingerprint) or your device PIN — no password is ever created, stored, or transmitted.
Passkeys are phishing-resistant by design — there's no password to steal and no fake login page can capture the key. They're immune to database breaches because the private key never leaves your device. They're already supported by Apple ID, Google accounts, Microsoft accounts, PayPal, GitHub, 1Password, and many more services, with adoption accelerating rapidly.
Until passkeys are universal — which will take years — a password manager, randomly generated unique passwords, and 2FA remain the best available defence for most people. Think of passkeys as the destination; the practices in this guide are the bridge to get there safely.
Quick Reference
What to do
Why it matters
Use a random password generator
Eliminates human patterns attackers exploit
Minimum 16 characters for important accounts
Makes brute force practically impossible
Use all character types
Maximises the search space per character
Unique password for every account
Stops credential stuffing from spreading
Use a password manager
Makes unique passwords practical at scale
Enable 2FA everywhere, prioritise email
Protects you even if a password leaks
Use an authenticator app, not SMS
Prevents SIM-swapping attacks
Check haveibeenpwned.com periodically
Catch breaches before attackers exploit them
Watch for passkey support
The strongest available login when it's offered
Ready to Generate Stronger Passwords?
Use the PassGens generator to instantly create cryptographically secure passwords and usernames — free, private, and no signup required.