Password Strength Explained: Build Passwords Hackers Cannot Crack

Most password advice is wrong. You have been told to use "at least 8 characters with upper, lower, numbers, and symbols", and every site enforces it. That rule is from a 2003 NIST document that the author himself has publicly regretted, and NIST has walked it back every year since. It also gets people to pick Password1! and call it safe.

Password strength is not about character classes. It is about entropy — how many possible passwords an attacker would have to try to guess yours. Once you understand what entropy is and how to maximize it, the whole topic gets simpler: length is dominant, randomness is critical, and humans are terrible at both.

This guide walks through the real math, the passphrase approach, what MFA actually buys you, and the practical recipe for 2026 — 16+ char random strings for normal sites, 6+ word passphrases for the ones you need to memorize, always unique, always in a manager.

What actually makes a password strong

A password is strong when the set of possible passwords an attacker must search through is large enough that they give up. That set is called the "keyspace" and its size is the password's *entropy*, measured in bits.

Entropy is calculated from two things: the **length** of the password and the **alphabet** it was drawn from. A fully random password of length L from an alphabet of size N has log2(N^L) bits of entropy, which simplifies to L × log2(N).

• Lowercase-only alphabet (26 chars): log2(26) ≈ 4.7 bits per character.
• Lowercase + digits (36): log2(36) ≈ 5.2 bits per character.
• Upper + lower + digits (62): log2(62) ≈ 5.95 bits per character.
• All printable ASCII (95): log2(95) ≈ 6.57 bits per character.

An 8-character all-printable-ASCII password has 8 × 6.57 ≈ 52 bits of entropy. That sounds fine. It is not. A 20-character all-lowercase password has 20 × 4.7 = 94 bits. It is vastly stronger despite being "simpler" by the old rule.

How fast can a password actually be cracked?

Assume an attacker has your password hash (common after a breach) and runs it through a GPU cluster at 1 billion guesses per second. Here is how long each password type holds up:

Password                       Bits   Time to crack @ 1B guesses/sec
------------------------------ ------ ------------------------------
"Password1!"                   ~28    < 1 sec (dictionary attack)
8 chars, all ASCII random      ~52    ~50 days
12 chars, all ASCII random     ~79    ~19 million years
16 chars, all ASCII random     ~105   ~1.3 trillion years
20 chars, lowercase only       ~94    ~630 billion years
4 random common words          ~52    ~50 days
6 random common words          ~78    ~10 million years

Two observations. First, 12 random characters is already overkill for any modern threat. Second, a 6-word passphrase and a 12-char random string are in the same league — and the passphrase is dramatically easier to memorize.

Length beats complexity

Compare two passwords:

• Tr0ub4dor&3 — 11 characters, upper, lower, digits, symbols. ~38 bits. Hash cracked by a single GPU in under 3 minutes.
• correcthorsebatterystaple — 25 characters, all lowercase. ~118 bits. Takes longer than the age of the universe.

Both are memorable. One is vastly stronger. xkcd 936 made this famous and the math has not changed. Every character class you add multiplies the keyspace by a constant. Every additional character multiplies it by the alphabet size. A factor of 10 beats once; doubling length beats exponentially.

The "you need a symbol and a digit" rule survives because it forces a minimum entropy floor on users who would otherwise pick password. For anyone who has read this far, the rule is a distraction. Pick length. Every time.

Passphrases: the xkcd 936 and Diceware approach

A passphrase is a password built from random common words. The original technique is Diceware — you roll five physical dice, look up a 5-digit number in a 7,776-word list, and you get one word. Six words give you 6 × log2(7776) ≈ 77.5 bits of entropy. Stronger than most 12-char random passwords.

The advantages:

• Easier to memorize than random strings — you can say them aloud, you can picture them.
• Easier to type on phones where symbols need a shift layer.
• Language-resistant — the word list can be in any language; attackers cannot assume English.

The catch is the "random" part. If you pick four words that you think are random, they are not — you will gravitate toward words that start with common letters, words that rhyme, words you already use. Use an actual Diceware list, or a cryptographic RNG, not your own selection.

Master passwords for your password manager

The password manager holds the keys to everything. Its master password has to be simultaneously memorable (you cannot store it in the manager) and strong enough that an offline attack on a stolen vault cannot crack it. This is the one password where a passphrase wins over a random string. You have to type it every day, possibly on a phone, possibly under stress. A 6–7 word Diceware passphrase nails both constraints — 77+ bits of entropy, and you can actually remember it. A good master password looks like stage-puzzle-cactus-velvet-thunder-pencil. Six common words, separated by hyphens for typability. Never reuse it anywhere. Never write it down somewhere a stranger could find it — but a sealed copy in a locked drawer is reasonable for emergency recovery.

Why humans should never generate their own passwords

Left to yourself, you will pick a password that looks random but is not. The biases are consistent across studies:

• Names of spouses, kids, pets, sports teams.
• Dates of birth, anniversary years, current year.
• Keyboard patterns (qwerty, asdf, 1qaz2wsx).
• Leet-speak substitutions (p@ssw0rd, h3ll0) — cracker wordlists handle these.
• Common structures like Word + Year + ! that match every site's minimum rule.

Modern password-cracking software uses dictionaries of the top few billion real passwords (harvested from breaches) plus mangling rules that cover all of the above. A human-chosen password that is not one of those billion verbatim is probably one of the trivial mangling patterns.

The fix is to let a cryptographic RNG generate it for you. A password generator running in your browser uses Web Crypto's getRandomValues under the hood, which is unbiased and unpredictable — no human preference, no patterns. Copy what it gives you and do not try to "improve" it.

Password reuse and MFA — the layers passwords cannot replace

This is the single most important section in the guide. Offline brute force is rarely what breaks you. What breaks you is this:

1. You sign up to a small forum in 2019 with email you@gmail.com and password BlueSky42!.
2. The forum gets breached in 2022. The breach file leaks online.
3. An attacker loads the leak into a credential-stuffing tool that tries you@gmail.com + BlueSky42! against Gmail, iCloud, Amazon, your bank, your employer's portal.
4. Every site where you used the same password is now compromised. Your "strong" password did nothing.

Password length and complexity do not save you from this. Uniqueness does. Every site needs its own password, and since no human can remember 300 unique passwords, you need a password manager.

There is a second quiet habit worth breaking. Reusing the same username or handle across every site links those accounts together even when passwords differ. For throwaway forums and low-value accounts, a username generator gives you pronounceable, non-identifying handles like silverFalcon42 that decouple your identity from any single account.

MFA as a second layer

Even with a 20-character random unique password, your account can still be compromised through phishing, device compromise, or session cookie theft. Multi-factor authentication catches these. Methods ranked by strength:

• **Hardware security keys (YubiKey, Titan)** — strongest, phishing-resistant via WebAuthn. Cannot be intercepted remotely.
• **Passkeys** — hardware-backed key pair per site, no shared secret, phishing-impossible by design. Increasingly the default.
• **Authenticator apps (TOTP codes)** — strong, the 6-digit code rotates every 30 seconds. Phishable if the user types it into a fake page, but still a big step up.
• **Push notifications** — decent, vulnerable to MFA fatigue attacks if you blindly tap approve.
• **SMS codes** — weakest of the "real" options, vulnerable to SIM swapping, but still better than nothing.
• **Security questions** — not MFA, just a worse password.

For anything important — primary email, bank, password manager, work SSO — use a hardware key or passkey. The 30 seconds of setup is worth years of defense.

API tokens and other machine-generated secrets

Passwords are not the only thing you need random for. API keys, session tokens, CSRF tokens, invitation codes — anything a server issues that a user presents back — needs the same randomness properties. These are not memorable, so the passphrase argument does not apply; length and alphabet size do.

For API tokens, 24–32 characters from a 62-char alphabet (alphanumeric) gives 143–190 bits. That is comfortably beyond any brute-force attack and plays well with URLs. Use a random string generator with length 32 and the alphanumeric pool for most cases. For tokens that need to be URL-safe without URL-encoding, add -_ to the pool (base64url). For machine-generated identifiers where you want an industry-standard format, a UUID generator is often cleaner than a custom token.

If you need to verify tokens without storing them in plaintext, run them through a hash generator (SHA-256 or better) before saving. The server only needs the hash to verify, and a leaked hash table cannot be reversed to usable tokens.

The 2026 recipe

1. Install a password manager. Bitwarden if you want free, 1Password if you want polish, KeePassXC if you want offline.
2. Generate a 6+ word Diceware passphrase as your master password. Memorize it. Write the backup in a sealed envelope if you live alone.
3. Enable hardware-key or passkey MFA on the manager itself.
4. For every site, generate a 16+ char random password using the password generator. Let the manager store it.
5. Never reuse a password. Never.
6. Enable MFA on every account that supports it — hardware keys for high-value, TOTP for the rest.
7. For API tokens and machine credentials, use the random string generator at length 32+.
8. Check haveibeenpwned.com annually. If any account shows up in a breach, rotate the password immediately.

The whole system takes an hour to set up and disappears into your workflow after that. You gain uniqueness across hundreds of sites, offline-attack resistance in the master vault, and MFA on everything high-value. That is 99% of the realistic threat model handled in a weekend afternoon.