"Password123" still ranks in the top 20 most common passwords every year. So does "qwerty", "admin", and — remarkably — the word "password" itself. These aren't outliers from a handful of careless users. NordPass's annual analysis of leaked credential databases consistently finds that hundreds of millions of accounts use passwords that can be cracked in under one second. The bar for password security is low. The good news is that clearing it doesn't require memorizing 32-character random strings.
How Attackers Actually Crack Passwords
Understanding what makes a password strong requires understanding how they're broken. Attackers don't sit at a keyboard typing guesses. They use automated tools running specific strategies.
Brute Force Attacks
The simplest approach: try every possible combination. A 4-character password using only lowercase letters has 456,976 possibilities — a modern GPU cracks this in milliseconds. Each character you add multiplies the possibilities exponentially:
| Password Length | Lowercase Only | + Uppercase | + Numbers | + Symbols |
|---|---|---|---|---|
| 6 characters | 309 million | 19 billion | 57 billion | 735 billion |
| 8 characters | 209 billion | 53 trillion | 218 trillion | 6.1 quadrillion |
| 10 characters | 141 trillion | 144 quadrillion | 839 quadrillion | 60 quintillion |
| 12 characters | 95 quadrillion | 390 quintillion | 3.2 sextillion | 475 sextillion |
At 10 billion guesses per second (achievable with modern GPU clusters), an 8-character lowercase password falls in 21 seconds. Add uppercase, numbers, and symbols, and that same 8-character password takes 7 days. Jump to 12 characters with full character sets and you're looking at over 1.5 million years.
Length beats complexity. Every time.
Dictionary Attacks
Rather than trying every combination, dictionary attacks use lists of known passwords, common words, and predictable patterns. These lists include:
- Leaked passwords from previous data breaches (billions of entries)
- English dictionary words and common names
- Keyboard patterns (qwerty, zxcvbn, 1qaz2wsx)
- Common substitutions (p@ssw0rd, h3llo, s3cur1ty)
That last point is critical. Replacing "a" with "@" or "o" with "0" feels clever, but attackers have been accounting for leetspeak substitutions for decades. "P@$$w0rd" is barely harder to crack than "Password" — the dictionary attack checks both.
Credential Stuffing
This isn't cracking at all — it's reuse. Attackers take email/password pairs from one breach and try them on every other service. If you used the same password for LinkedIn and your bank, a LinkedIn breach compromises your bank account.
This is why password reuse is the single most dangerous habit in digital security. A strong password used everywhere is weaker than a mediocre password used once.
What Makes a Password Strong
Based on how attacks work, a strong password has three properties:
- Long — 12 characters minimum, 16+ preferred. Length is the most important factor.
- Unpredictable — Not a dictionary word, name, date, or common pattern. The randomness makes brute force the only viable attack, and length makes brute force infeasible.
- Unique — Used on exactly one account. This eliminates credential stuffing entirely.
The Passphrase Approach
Random character strings like k7$Qm9!xR2@p are strong but nearly impossible to memorize. Passphrases offer a middle ground: string together 4-6 random words to create something long, unpredictable, and memorable.
Examples:
- correct-horse-battery-staple (28 characters)
- umbrella-canyon-telescope-marble (33 characters)
- frozen-laptop-bicycle-penguin-seven (36 characters)
The key word is random. "I-love-my-dog" is a passphrase, but it's predictable. Use a random word generator or pick words by opening a dictionary to random pages.
A 4-word passphrase from a 10,000-word dictionary has 10,000^4 = 10 quadrillion possibilities. That's comparable to a 10-character fully random password — but you can actually remember it.
What a Strong Password Looks Like
Use a Password Generator to create truly random passwords for accounts you don't need to memorize (which is most of them, if you use a password manager). For the few passwords you do memorize — your password manager's master password, your laptop login — use a long passphrase.
Check any existing password against a Password Strength Checker to see its estimated crack time and identify weaknesses.
Password Managers: The Practical Solution
Here's the uncomfortable truth: you cannot maintain unique, strong passwords for 100+ accounts using only your brain. The average person has 70-100 online accounts. Even if you could memorize 100 passphrases, you'd mix them up constantly.
Password managers solve this completely:
- Generate a unique random password for every account
- Store them in an encrypted vault
- Auto-fill credentials when you log in
- Sync across devices
- Alert you to breached or reused passwords
You memorize one master password (make it a strong passphrase). The manager handles everything else.
| Feature | 1Password | Bitwarden | Apple Keychain | KeePass |
|---|---|---|---|---|
| Price | $3/month | Free (basic) | Free (Apple only) | Free |
| Cross-platform | Yes | Yes | Apple ecosystem | Yes (manual sync) |
| Cloud sync | Yes | Yes | iCloud | No (local file) |
| Open source | No | Yes | No | Yes |
| Family sharing | Yes ($5/mo) | Yes ($3.33/mo) | Yes (via Family) | Manual |
| Breach monitoring | Yes | Yes (premium) | Yes | No |
Any of these is infinitely better than reusing passwords or storing them in a text file. Pick one and migrate your accounts over the next few weeks — you don't have to do them all at once.
Two-Factor Authentication: Your Safety Net
Even a perfect password can be compromised if the service itself gets breached and stores passwords improperly. Two-factor authentication (2FA) adds a second layer: something you know (password) plus something you have (phone, security key).
2FA methods, ranked by security:
- Hardware security keys (YubiKey, Google Titan) — Phishing-proof. The gold standard.
- Authenticator apps (Google Authenticator, Authy) — Time-based codes generated on your device. Strong protection against most attacks.
- SMS codes — Better than nothing, but vulnerable to SIM swapping. Use this only if no better option exists.
- Email codes — Weakest 2FA. If your email is compromised, so is everything using it for 2FA.
Enable 2FA on every account that offers it, starting with email, banking, and social media. An authenticator app takes 30 seconds to set up per account and adds meaningful protection against the most common attacks.
Common Password Myths
"Special characters make passwords strong." Not really. H3llo! is six characters with three character types and cracks in seconds. hellomynameisjohn is 17 lowercase characters and takes millions of years. Length dominates character variety.
"Changing passwords frequently improves security." NIST (the National Institute of Standards and Technology) reversed this recommendation in 2017. Frequent changes lead to weaker passwords because people default to predictable patterns (Password1, Password2, Password3). Change passwords only when you have reason to believe they've been compromised.
"Password hints help you remember." Password hints are a security hole. If the hint is useful enough to remind you of the password, it's useful enough to help an attacker guess it. Treat hints the way you treat passwords — don't make them obvious.
"My accounts aren't worth hacking." Every account has value. Your email can be used for password resets on other services. Your social media can be used for social engineering. Your old accounts may contain credit card information. Attackers aren't targeting you specifically — they're running automated tools against billions of credentials.
A Five-Step Password Upgrade Plan
You don't need to overhaul everything today. Here's a prioritized plan:
Week 1: Install a password manager. Set a strong master passphrase (4+ random words, 20+ characters).
Week 2: Change passwords on your top 5 critical accounts — primary email, banking, primary social media. Generate random passwords via the manager or a Password Generator.
Week 3: Enable 2FA on those same 5 accounts. Use an authenticator app, not SMS.
Week 4 and beyond: Every time you log into a site, update its password through your manager. Within a few months, all your frequently used accounts will have unique, strong passwords.
The goal isn't perfection on day one. It's building a system that makes strong, unique passwords the default.
Frequently Asked Questions
How long should a password be?
At minimum 12 characters, but 16+ is better. Length is the single most important factor in password strength. A 16-character password with only lowercase letters is stronger than an 8-character password with uppercase, numbers, and symbols. Every additional character multiplies the time needed for a brute-force attack exponentially.
Are passphrases better than random passwords?
For passwords you need to memorize (like a master password), yes. A 4-word random passphrase is both strong and memorable. For everything else, let a password manager generate and store fully random passwords — you'll never need to type or remember them.
How often should I change my passwords?
Only when there's a specific reason: a service announces a breach, your password manager flags a compromised credential, or you suspect unauthorized access. NIST's 2017 guidelines recommend against routine forced password changes because they lead to weaker password choices.
Is it safe to store passwords in a browser?
Browser password storage (Chrome, Firefox, Safari) is convenient but less secure than a dedicated password manager. Browser-stored passwords are often accessible to anyone who can access your computer and typically lack advanced features like breach monitoring and secure sharing. A dedicated manager provides better encryption, cross-platform access, and stronger security controls.
What's the most important thing I can do for password security?
Stop reusing passwords. A unique password per account, even if the passwords aren't perfect, protects you from the most common attack vector: credential stuffing from data breaches. A password manager makes this practical.