What actually makes a password strong
Complexity rules are security theater, and everyone in the field knows it. The capital letter, the number, the one mandatory symbol: those rules stuck around because they fit neatly in a sign-up form, not because they stop anyone.
Passwords are about the least human thing ever asked of a human. Nobody thinks in random characters. Yet we get handed a wall of rules and told to memorize the result, then scolded when we reuse one. Passkeys are slowly fixing this, and password managers like 1Password already make a good password effortless for anything you let them store. We are not all the way there. Until we are, it helps to know what the rules are actually for, and which ones are just for show.
What actually makes a password strong?
A strong password is one nobody can guess in a reasonable amount of time. That is the whole thing. Symbols, mixed case, the "must contain a number" box: those are just one route to that goal, and often a poor one.
Guessing is hard when there are too many possibilities to get through. If your password could only have been one of a million things, a computer runs out of options fast. If it could have been one of a billion billion billion things, that same computer is still grinding away long after you have stopped caring. So the question that matters is not whether your password looks complicated. It is how many passwords it could have been.
And the rules get this backwards. They push you toward clever symbols when the biggest lever on that number, by a mile, is plain length.
Why length beats complexity
Picture each character as a dial. A lowercase dial has 26 positions. Add capitals and it has 52. Throw in digits and symbols and you might reach 95. More character types make each dial busier. But you still have the same count of dials.
Length gives you another dial. Since every dial multiplies against all the others, bolting on a fresh one does far more work than crowding an old one. Run the numbers and a 16-character password of nothing but lowercase letters beats a 10-character password that uses every symbol you can type. It is not close, and most password rules push you toward the weaker of the two.
The math behind it
The size of the search space is the character-set size raised to the length. Strength gets reported as entropy in bits, the base-2 log of that count:
bits = length × log₂(charset size)
Ten characters drawn from the 95 printable ASCII symbols:
10 × log₂(95) ≈ 65.7 bits
Sixteen characters drawn from 26 lowercase letters:
16 × log₂(26) ≈ 75.2 bits
The longer, plainer password wins, roughly 75 bits to 66. Length sits inside the multiplication; character variety only changes the base of the log. Every extra character buys a fresh log₂(charset) bits, and every extra bit doubles the work for whoever is trying to crack it.
What is password entropy?
Entropy turns up in every password argument and sounds scarier than it is. It is one number for how unpredictable a password is, counted in bits. The handy part is the rule that goes with it: each extra bit doubles the time to crack the thing.
So 60 bits is not a hair stronger than 59. It is twice as strong. Seventy bits is more than a thousand times tougher than 60. This is why people who work on this stuff reach for entropy instead of arguing about symbols. One number, and it actually means something.
Why we assume the attacker knows your method
Entropy math assumes the attacker knows precisely how the password was built: the alphabet, the length, the generator, everything except the random draws themselves. That is Kerckhoffs's principle, and it is the only assumption worth trusting. Security that leans on the method staying secret collapses the moment the method leaks, and methods always leak.
One sharp consequence falls out of this. Any predictable step contributes zero bits. Capitalizing the first letter of every word adds nothing once an attacker knows that is your habit. A trailing "1" adds nothing. Honest entropy counts the genuinely random choices and ignores the decoration.
How long would my password take to crack?
Everyone wants this number, and the honest version has a catch: it depends entirely on who is coming after it. The same password can be "centuries" against one attacker and "before lunch" against another. What changes is how many guesses per second they can run.
| Attacker | Guesses per sec | The situation |
|---|---|---|
| Online, throttled | ~100 | Hammering a live login that locks them out after a few tries |
| Offline, fast GPU | ~10 billion | They grabbed a leaked database and crack the hashes on their own rig |
| Offline, big cluster | ~1 trillion | A well-funded operation spending real money on the problem |
A good password tool shows the crack time and lets you choose which attacker to picture. The password guarding a junk forum account can be weak with no harm done. The master password sitting on top of everything else cannot.
The crack-time formula
On average an attacker hits the right answer halfway through the space, so:
average time = 2^(bits − 1) / guesses per second
Eighty bits against the 10-billion-per-second GPU:
2^79 / 10¹⁰ ≈ 6.0 × 10¹³ s ≈ 1.9 million years
The same 80 bits against the trillion-per-second cluster comes down to about 19,000 years. Still safe, and you can watch the attacker's budget swing the answer by orders of magnitude. Drop to 50 bits and that cluster is done in under a minute.
Passphrases or random passwords?
Two good ways to reach high entropy. The right one depends on whether a person has to remember it.
A random string like k7$Wm2pQ!vX9 crams the most entropy into the fewest characters. Perfect for anything a password manager holds, since you never type it yourself. The downside writes itself: nobody is memorizing that.
A passphrase like correct-horse-battery-staple-anchor-velvet goes the other way. Several random words instead of random characters. Longer, but a person can actually keep it in their head and type it without crying, and it reaches just as much entropy as the cryptic string. This is what you want for the few passwords that live in your memory rather than your vault, like your device login or the master password on the manager itself.
The math of word-based passwords (diceware)
The common method uses the EFF large wordlist, 7,776 hand-picked words. A word drawn at random from it carries log₂(7,776) ≈ 12.9 bits per word. So six words give you 6 × 12.9 ≈ 77.5 bits. That clears most random passwords people pick for themselves, and you can say it out loud. Each extra word adds another 12.9 bits, so seven words pushes past 90.
The math only holds if the words come from a real random source, dice or a cryptographic generator. A human picking words "at random" leans on familiar ones and quietly wrecks the entropy. The randomness is the part that matters.
When the rules make your password worse
Here is the uncomfortable part. The rules a site forces on you, the "8 to 16 characters, one capital, one number, one symbol" routine, were supposed to produce strong passwords. They mostly produce Password1! and Summer2024!. Predictable patterns that tick every box and fall in seconds.
A maximum length is worse than useless. A site that refuses anything past 16 characters has put a hard ceiling on how strong your password can be, and that ceiling belongs to the site, not to you.
Then there is the truly maddening tier. Sites that allow some symbols but not others. Sites that forbid a character repeating. Military DS Logon is a repeat offender here. A password manager like 1Password will happily generate a strong password and let you toggle whole categories on or off, but it will not let you exclude one specific symbol that some site has decided to ban. So you end up generating, getting rejected, editing by hand, and watching your nice random password turn into something you tinkered with. A generator that lets you state the exact rules a site imposes, down to the banned characters, and then hands you the strongest password that fits inside them, fixes a genuinely annoying corner of daily life. An honest one also tells you when those rules dragged your strength down, instead of pretending the cramped result is great.
Why the naive formula lies about human-chosen passwords
The length × log₂(charset) formula treats every character as an independent random pick. True for a generated password. Fiction for one a person chose, and the fiction runs in the dangerous direction, making weak passwords look strong. Summer2025! scores about 72 bits on the naive formula. Its real strength is a sliver of that, because an attacker does not guess blindly. They guess in order: dictionary words first, then the obvious swaps (a to @, o to 0), then years and seasons, then keyboard runs like qwerty. Tools such as zxcvbn estimate that pattern-aware difficulty rather than the fantasy number, which is why a serious strength checker runs one instead of trusting the raw formula.
Has my password already leaked?
A strong password is still burned if it is already sitting in a breach somewhere. Billions of real passwords have spilled over the years, and attackers try those first, before they bother guessing anything. You can check whether a given password shows up in known breaches, and you can do it without sending the password anywhere, using a trick called k-anonymity.
It is worth knowing how that works, since the difference between a breach check that protects you and one that quietly leaks your password is exactly that trick. Here is how it actually works.
Common questions
What makes a password strong?
How hard it is to guess, which comes down to how many things it could have been. Length grows that count faster than any symbol does, so a long random password or a multi-word passphrase beats a short complicated one.
Is a longer password better than a more complex one?
Usually by a lot. Each character you add multiplies the total possibilities, while one extra symbol only dresses up a single position. A 16-character lowercase password is stronger than a 10-character one that uses every symbol type.
What entropy should I aim for?
Seventy to 80 bits covers important accounts comfortably. Under 50 is crackable by anyone serious. Past 100 is out of reach for the foreseeable future.
Passphrase or random password?
Random string from a generator for everything your password manager stores. Multi-word passphrase for the few you actually memorize and type, like a master password or device login.
Why do some sites make my password weaker?
Length caps and symbol bans limit how much entropy you can pack in. When a site blocks long passwords or certain characters, it is capping your security, and the weakness is theirs.