How to Create a Strong Password — What Actually Makes One Secure

Why Most Password Advice Is Wrong

For decades, the standard password advice was: use a capital letter, a number, and a special character. Change your password every 90 days. Never write it down. This advice, codified by NIST in 2003, turned out to be counterproductive. Users responded by making predictable substitutions — P@ssw0rd, S3cur1ty! — that are trivially easy for automated crackers but genuinely hard to remember.

In 2017, NIST reversed much of that guidance. The new recommendation: focus on length, avoid known compromised passwords, and stop forcing arbitrary complexity rules. The science had finally caught up with the reality of how attackers actually crack passwords.

What Makes a Password Strong: Entropy

The security of a password is best described by its entropy — a measure of unpredictability measured in bits. A password with n bits of entropy would require up to 2ⁿ guesses to crack by brute force.

Entropy comes from two sources: the size of the character set you draw from, and the length of the password. A password drawn from 94 printable ASCII characters has about 6.5 bits of entropy per character. A 12-character password drawn from that set has roughly 78 bits of entropy — assuming the characters are truly random. A 20-character password from the same set reaches about 130 bits.

The catch is the phrase "truly random." A human-chosen password that meets complexity rules but follows a predictable pattern — a word, a name, a date, followed by ! — may have far less effective entropy than its length suggests. Attackers know this, and their tools exploit it.

How Attackers Actually Crack Passwords

Dictionary attacks

The first pass in any password cracking operation is a dictionary attack: try every word in a known wordlist, then every word with common substitutions and suffixes. These wordlists are built from billions of real passwords exposed in data breaches. If your password appears in any major breach, it is in the dictionary. Troy Hunt's Have I Been Pwned database contains over 600 million compromised passwords.

Brute force

When dictionary attacks fail, tools try every possible combination of characters. Modern hardware is frighteningly fast. A single consumer GPU running Hashcat can test around 10 billion MD5 password hashes per second. Against a fast hash, an 8-character password can be cracked in minutes. Against a properly slow hash like bcrypt, the same hardware manages only about 10,000 guesses per second — which is why the hashing algorithm matters as much as the password itself.

Rainbow table attacks

Before cracking tools became GPU-accelerated, attackers precomputed huge tables of hash values for common passwords — called rainbow tables. A properly implemented password storage system uses a salt (a random value added to each password before hashing) to make rainbow tables useless. If a site stores unsalted MD5 hashes, rainbow tables can crack most user passwords in seconds.

Keyboard walks and patterns

Passwords like qwerty, 123456, asdfghjkl, and zxcvbnm are the first things tested. So are diagonal patterns, number sequences, and dates. If you can describe the pattern you used to create your password in one sentence, an attacker has likely already thought of it.

What "128 Bits of Entropy" Means in Practice

Security professionals often use 128 bits of entropy as a target for long-term secrets because it is computationally infeasible to brute-force even with future hardware improvements. To reach 128 bits using random characters from a 94-character set, you need a password of about 20 characters.

Using a password generator set to 20 characters with uppercase, lowercase, numbers, and symbols produces a password that no current or foreseeable technology can crack by brute force. The risk shifts from cracking to other attack vectors: phishing, credential stuffing, or keyloggers.

Common Mistakes That Undermine Password Strength

• Predictable substitutions: a → @, e → 3, o → 0. Cracking tools test these automatically.
• Appending numbers or symbols: password1, password! are in every dictionary.
• Using personal information: Names, birth dates, pet names, and phone numbers are tried early in targeted attacks.
• Reusing passwords: When one site is breached, credential stuffing tools try that password against thousands of other sites automatically.
• Short passwords: Even random 8-character passwords can be cracked quickly against a fast hash.

The Role of Password Managers

The only realistic way to use strong, unique passwords on every site is to use a password manager. A password manager generates and stores cryptographically random passwords of any length, so you never have to remember them. You only need one strong master password — ideally a long passphrase — to unlock the vault.

NIST's 2017 guidelines explicitly encourage password manager use because the alternative — memorable passwords — is inherently weaker. The advice "make it something you'll remember" is in direct tension with "make it unpredictable."

A 20-character random password stored in a password manager is orders of magnitude more secure than a clever 10-character pattern you can remember. The math is unambiguous.