What Makes a Password Strong?

Password Entropy: The Science of Strength

Password strength is measured in bits of entropy — a concept from information theory. Higher entropy means more possible values, which means more guesses an attacker needs to make to crack the password by brute force.

Entropy is calculated as: bits = log₂(character_set_size ^ password_length)

To make this concrete: a password using only 26 lowercase letters at 8 characters long has 26⁸ ≈ 208 billion possible values — about 37 bits of entropy. A modern GPU can test billions of guesses per second, so this is inadequate. The same password length using 95 printable ASCII characters (26 lower + 26 upper + 10 digits + 33 symbols) gives 95⁸ ≈ 66 quadrillion possible values — about 52 bits. Still not great for a critical account.

A 16-character random password using all 95 printable ASCII characters has 95¹⁶ ≈ 4.4 × 10³¹ possible values — about 105 bits of entropy. At a trillion guesses per second, this would take millions of years to brute force.

The Four Factors That Determine Password Strength

1. Length: The single most important factor. Each additional character multiplies the number of possible passwords by the character set size. Going from 12 to 16 characters on a full ASCII character set increases the search space by a factor of 95⁴ = about 81 million.

2. Character set: Using all four character types (lowercase, uppercase, digits, symbols) increases the character set from 26 to 95 — a 3.65× increase per character. This matters, but length matters more.

3. Randomness: A password must be truly random, not just appear random. Humans are terrible at generating randomness — we have predictable patterns (we favour certain letters, avoid hard-to-type symbols, use memorable substitutions like 3 for e). Use a Password Generator that uses a cryptographically secure random number generator.

4. Uniqueness: Even a perfect 20-character password is compromised the moment the service storing it has a data breach and sells your credential to attackers. If you reuse it, every account using that password is instantly compromised. Use a different password for every account.

How Attackers Actually Crack Passwords

Understanding attack methods helps you understand what "strong" really needs to defend against:

• Dictionary attacks: Testing a list of common words, names, phrases, and their leetspeak variants (p@ssw0rd, Tr0ub4dor&3). These lists contain billions of entries and run in seconds on modern hardware against weak hash algorithms like MD5.
• Rule-based attacks: Applying transformation rules to dictionary words — capitalising the first letter, adding a number at the end, substituting vowels with numbers. This cracks most "complex" passwords that are really just modified words.
• Brute force: Systematically testing every possible combination. Impractical for long passwords but very effective for short ones (under 10 characters).
• Credential stuffing: Using username/password combinations from previous data breaches. If you reuse passwords, an attacker who obtains your credentials from one breach can access all your accounts.
• Phishing: Tricking you into entering your password on a fake site. No password complexity helps against this — only vigilance and 2FA.

Common Password Mistakes

• Using personal information: Name, birthdate, pet's name, hometown. Attackers use social engineering and social media to build targeted wordlists from this data.
• Keyboard patterns: qwerty, 123456, asdfgh, zxcvbn. These are all in every dictionary attack list.
• Leetspeak substitutions: p@ssw0rd, 4dm1n. These tricks are fully known to attackers and are in every ruleset.
• Appending numbers: password1, password2023. Completely predictable.
• Reusing passwords: The most dangerous mistake. One breach exposes all your accounts.
• Short passwords: Anything under 12 characters is potentially crackable with sufficient computing resources, even with all character types.

How to Check Your Password Strength

Our Password Strength Checker analyses your password against real-world attack patterns and estimates its strength in bits of entropy. It checks for dictionary words, common patterns, and character set diversity — and gives you actionable feedback on how to improve it. All analysis happens in your browser — your password is never sent anywhere.

For generating a genuinely strong password, use our Password Generator. A 16-character random password using all character types is the gold standard for important accounts.

Frequently Asked Questions

Is length or complexity more important for a strong password?

Length is more important. A 20-character password using only lowercase letters has more entropy than a 10-character password using all character types. Length multiplies the search space exponentially, while adding character types adds it linearly. Aim for 16+ characters minimum.

Why are common words bad in passwords even if the password is long?

Dictionary attacks test common words, phrases, names, and their variations before brute-forcing random characters. A long phrase that reads naturally is more vulnerable than a shorter string of random characters, because natural language is predictable.

How long would it take to crack my password?

It depends on the hashing algorithm protecting it and attacker resources. A modern GPU can test billions of MD5 hashes per second. A bcrypt-hashed 16-character random password would take millions of years. The weakest link is usually the hashing algorithm, not the password length.

Should I use a passphrase instead of a random password?

A passphrase (4–5 random words like 'trumpet-ocean-forge-lamp') is easier to remember and has sufficient entropy for most uses. A truly random 16+ character password from a password generator is technically stronger. Both are excellent choices — the key is using a different one for every account.