Skip to content

What makes a strong password

By the Password Rangers teamUpdated 7 min read

A strong password is one an attacker can't guess faster than brute force, and brute force takes too long to matter. That comes down to entropy: the number of equally likely possibilities someone has to try. Entropy grows with length and with the size of the character pool, and it collapses the moment any part of the password becomes predictable.

That one sentence explains almost everything about password strength. The rest of this guide is the math behind it, why the familiar "one uppercase, one number, one symbol" rules measure the wrong thing, and what to actually do about it.

Entropy, explained with coin flips

Entropy measures unpredictability, in bits. One bit equals one fair coin flip: two equally likely outcomes. Every additional bit doubles the number of possibilities an attacker must work through. So 20 bits is about a million guesses, 40 bits is about a trillion, and 60 bits is a million trillion. Small increases in bits mean enormous increases in work.

For a truly random password, the entropy is easy to compute: each character drawn from a pool of 86 (letters, digits, and symbols) adds about 6.4 bits. A 12-character random password from that pool has 77 bits. Nobody guesses that by trying birthdays.

To turn bits into time, you need an attack model. Across this site we assume a serious offline attacker who has stolen a database of password hashes and can test 10 billion guesses per second on GPU hardware, finding the password after searching half the keyspace on average. That's a deliberately pessimistic model. Here's what it does to random passwords built from the full 86-character pool:

LengthEntropyAverage time to crack
8 characters51 bitsAbout 2 days
10 characters64 bitsAbout 35 years
12 characters77 bitsAbout 259,000 years
14 characters90 bitsAbout 2 billion years
16 characters103 bitsAbout 14 trillion years
20 characters129 bitsLonger than the universe has existed

Notice the jumps. Going from 8 to 12 characters takes you from days to hundreds of thousands of years. Each character multiplies the work by 86. That's the whole trick.

Why complexity rules mislead

Composition rules (at least one uppercase, one digit, one symbol) don't make passwords strong. They make people predictable in a new way. P@ssw0rd1! satisfies every checkbox on every signup form and falls to a wordlist attack in seconds, because cracking tools apply the exact same substitutions humans do.

When a form demands a capital letter, most people capitalize the first character. When it demands a digit or symbol, most people append one at the end, usually 1 or !. Swapping @ for a and 0 for o feels clever, but those l33t substitutions have been standard entries in cracking rule sets for two decades. An attacker doesn't brute-force P@ssw0rd1! character by character. They take "password" from a wordlist, run it through a few thousand mangling rules, and hit it almost instantly. Its checkbox score is perfect. Its effective entropy is close to zero.

The standards bodies caught up to this. NIST SP 800-63B, the US government's guideline for digital identity, now tells verifiers not to impose composition rules at all. It also drops scheduled password rotation unless there's evidence of compromise. Length and randomness do the work; forced complexity mostly forces bad habits.

What each character class actually buys

The value of a character depends on the pool it's drawn from. Lowercase only gives 26 options per character, about 4.7 bits. Adding uppercase doubles the pool to 52, about 5.7 bits per character. Digits bring it to 62, and common symbols to roughly 86, about 6.4 bits per character. Each addition helps, but less than people assume.

Character poolPool sizeBits per character12 random characters
Lowercase only264.756 bits
Upper and lowercase525.768 bits
Letters and digits626.071 bits
Letters, digits, symbols866.477 bits

Look at the last column. Adding symbols to a 12-character letters-and-digits password buys 6 bits. Adding two more characters instead buys 12. Length pays roughly double what widening the pool pays, and it never fights with a site's input restrictions. A 16-character letters-and-digits password has 95 bits, about 76 billion years in our attack model. So if a site blocks symbols, don't fight it. Use the alphanumeric password generator and add a couple of characters. Our guide on how long a password should be works through the length question in more detail.

Predictability is the real killer

All of the math above assumes every character is genuinely random. The moment part of a password is predictable, its effective entropy drops to whatever the attacker actually has to guess, not the theoretical maximum. A 20-character password built from your dog's name and a birth year looks strong on paper and can fall in minutes.

Cracking tools don't start with brute force. They start with what people actually pick: dictionary words in dozens of languages, first names, sports teams, dates from 1940 to the present, keyboard walks like qwerty and 1qaz2wsx, and every password from every known breach. Tools such as Hashcat ship rule engines distilled from billions of leaked passwords, so capitalizing, appending 123, or tacking on the current year is already priced in. Human "randomness" is a well-mapped territory.

Asking a chatbot for a password has the same flaw. A model that predicts plausible text gravitates toward the same memorable-looking strings for every user, and cracked-password research from 2026 bears that out. Our guide on using AI to generate passwords covers this in detail. Short version: don't.

Reuse is the cheapest attack of all. If your email password also protects your bank, a breach at any random forum hands attackers a key they'll try everywhere, a technique called credential stuffing. No cracking required. A reused strong password is a weak password.

What this means in practice

Use 16 random characters for anything a password manager fills for you, or 5 to 6 random words for anything you must type or remember. Generate them with a real random source, never your imagination, and give every account its own. That covers essentially every practical threat.

The numbers back this up. NIST recommends at least 15 characters for accounts protected by a password alone, and CISA suggests 16 or more, or a memorable passphrase of 4 to 7 unrelated words. Our free strong password generator builds passwords in your browser with the Web Crypto API. Nothing leaves your device, which you can verify in the network tab of your browser's developer tools.

For passwords you'll type by hand, the passphrase generator picks random words from the EFF wordlist. Five words gets you 52 bits, six words 62 bits, roughly 8 years even against our offline attacker, and far longer against a rate-limited login screen. Then store everything in a password manager and turn on two-factor authentication where it's offered.

Curious where your current passwords stand? Run one through the free password strength checker. It estimates entropy and crack time using the same math as this article, entirely in your browser.