What makes a password actually strong?
Forget the old advice about substituting a with @ or sticking a number on the end of your dog's name. Modern password strength comes from two things and two things only: length and randomness.
Length beats complexity
A random 16-character password is more secure than an 8-character password with every symbol type. Each extra character multiplies the search space exponentially — the math overwhelmingly favors longer over fancier.
Time to crack — by length
| 8 chars | 12 chars | ★ Recommended16 chars | 20+ chars | |
|---|---|---|---|---|
| Estimated crack time | Minutes to hours | Centuries | Effectively never | Cosmic timescales |
| Strength rating | Weak | Good | Strong | Very strong |
| Use for | Don't | Low-stakes accounts | Everything | High-security (banking, email) |
Estimates based on a modern GPU array attempting offline brute force. Online attacks are far slower thanks to rate limits.
The 3 password rules that actually matter
- 16+ characters minimum. 20+ for email and banking. The 8-character era is over.
- Unique per site. If one site gets breached, attackers try the same password everywhere else. Reuse turns one breach into ten.
- Use a password manager. Bitwarden (free, open source), 1Password (paid, very polished), or your browser's built-in one. Stop trying to memorize.
The only password you should memorize
Your password manager's master password. Make it a long passphrase — four random words, ~25 characters. Easy for you to remember, impossible to brute force.
FAQ
Are these passwords stored anywhere?
+
No. They're generated in your browser and never sent or logged. Refresh the page and they're gone forever. Save them in a password manager immediately.
Should I include symbols?
+
Yes when allowed — they expand the character space. But length always matters more. A 20-character letters-only password is stronger than a 12-character "complex" one.
What's the safest way to share a password with a coworker?
+
Use a password manager that supports sharing (Bitwarden, 1Password). Never email, Slack, or text a password — those channels often archive forever.
Should I change passwords regularly?
+
Modern NIST guidance: no. Forced rotation leads to weaker passwords (people append numbers). Change only when you have a reason — a breach notification, suspicious activity, or a known reuse.