What Makes a Strong Password?
Password strength is determined by entropy — the number of possible combinations an attacker must try to guess it. Strong passwords have high entropy, making brute-force and dictionary attacks computationally impractical. Understanding what makes passwords strong is essential for securing accounts.
Entropy and Key Space
Entropy = log2(character set size^password length). A 12-character password using only lowercase letters has 26^12 ≈ 2^56 combinations. Adding uppercase doubles the set: 52^12 ≈ 2^68. Adding digits and symbols (94 chars): 94^12 ≈ 2^79. At 2^79, a GPU array cracking 100 billion hashes/second would take thousands of years. Length has a bigger impact than character variety.
Patterns to Avoid
Dictionary words (any language). Common substitutions: p@ssw0rd (attackers include leet-speak in dictionaries). Personal information: names, birthdays, pets. Keyboard patterns: qwerty, 123456, asdfgh. Repeated characters: aaabbb. Ending with punctuation: Password1! (a common pattern many sites accept but attackers specifically target).
Password Managers
A password manager stores a unique, randomly generated password for every account. You only remember one master password. This eliminates password reuse — the most common attack vector (if one site is breached, reused passwords expose all other accounts). Reputable managers: Bitwarden (open source), 1Password, Dashlane, KeePassXC (local). Enable two-factor authentication on the manager itself.
How Passwords Are Stored (and Why It Matters)
Secure sites hash passwords using bcrypt, Argon2, or scrypt with a unique random salt per account. A breach than exposes hashed passwords does not immediately expose plaintext — but weak passwords can still be cracked via GPU brute force. A 6-character password can be cracked in seconds even with bcrypt. Use at least 12–16 random characters.