What Makes a Password Strong (Length Beats Complexity)
The old advice — one capital, one number, one symbol — produced passwords like P@ssw0rd1! that feel strong and crack in minutes. What actually resists attack is simpler: length and randomness.
How cracking actually works
Attackers don’t guess character-by-character; they run billions of attempts per second against leaked password databases, trying dictionary words, common substitutions (@ for a, 0 for o), and every previously breached password. “Clever” substitutions are in the first million guesses. Truly random characters aren’t — each added random character multiplies the search space by ~70.
The practical bar in numbers
| Random length | Mixed-set combinations | Realistic crack time* |
|---|---|---|
| 8 characters | ~6 × 10¹⁴ | Hours |
| 12 characters | ~1 × 10²² | Centuries |
| 16 characters | ~3 × 10²⁹ | Longer than the universe’s remaining stars |
| 20 characters | ~7 × 10³⁶ | Effectively unreachable |
*Order-of-magnitude estimates against offline GPU attacks on a properly hashed database; online login attempts are rate-limited and far slower.
The jump between rows is the whole argument: each character multiplies the search space by ~70. No symbol rule buys anything close to what four more characters buy. That’s why 16 is the sensible default.
The rules that still matter
Unique per site — reuse means one breach unlocks everything, which is the single most common way accounts actually fall. Stored in a password manager — the human brain is for one master passphrase, not fifty random strings. And generated with real randomness, not keyboard walks like qwerty123.
The only safe way to use an online generator
A generator that creates passwords on a server could, in principle, log every password it ever made. The safe design generates locally: the browser’s crypto.getRandomValues produces cryptographically secure randomness on your device, and the password never travels anywhere. If a generator can’t say that, don’t use it.
Questions people ask
Are passphrases like “correct horse battery staple” good?
Four+ truly random words are strong and memorable — excellent for the one master password protecting your manager. Random strings remain better for everything stored in it.
How often should I change passwords?
Only when there’s a reason — a breach or shared access ending. Forced rotation produces weaker, patterned passwords.