~/lokafile / guides / strong-password-guide

What Makes a Password Strong (Length Beats Complexity)

Updated July 2026 · 2 min read · 295 words
8 · hours12 · centuries16 · foreverlengthbeats symbols

The old advice — one capital, one number, one symbol — produced passwords like P@ssw0rd1! that feel strong and crack in minutes. What actually resists attack is simpler: length and randomness.

How cracking actually works

Attackers don’t guess character-by-character; they run billions of attempts per second against leaked password databases, trying dictionary words, common substitutions (@ for a, 0 for o), and every previously breached password. “Clever” substitutions are in the first million guesses. Truly random characters aren’t — each added random character multiplies the search space by ~70.

The practical bar in numbers

Random lengthMixed-set combinationsRealistic crack time*
8 characters~6 × 10¹⁴Hours
12 characters~1 × 10²²Centuries
16 characters~3 × 10²⁹Longer than the universe’s remaining stars
20 characters~7 × 10³⁶Effectively unreachable

*Order-of-magnitude estimates against offline GPU attacks on a properly hashed database; online login attempts are rate-limited and far slower.

The jump between rows is the whole argument: each character multiplies the search space by ~70. No symbol rule buys anything close to what four more characters buy. That’s why 16 is the sensible default.

The rules that still matter

Unique per site — reuse means one breach unlocks everything, which is the single most common way accounts actually fall. Stored in a password manager — the human brain is for one master passphrase, not fifty random strings. And generated with real randomness, not keyboard walks like qwerty123.

The only safe way to use an online generator

A generator that creates passwords on a server could, in principle, log every password it ever made. The safe design generates locally: the browser’s crypto.getRandomValues produces cryptographically secure randomness on your device, and the password never travels anywhere. If a generator can’t say that, don’t use it.

Questions people ask

Are passphrases like “correct horse battery staple” good?

Four+ truly random words are strong and memorable — excellent for the one master password protecting your manager. Random strings remain better for everything stored in it.

How often should I change passwords?

Only when there’s a reason — a breach or shared access ending. Forced rotation produces weaker, patterned passwords.

More guides