Understanding Password Strength

Password strength measures how resistant a password is to guessing and brute-force attacks. Strong passwords are essential for protecting accounts from unauthorized access.

What Makes a Strong Password?

Length

The single most important factor in password strength. Longer passwords exponentially increase the time required for brute-force attacks.

• 8-11 characters: Minimum acceptable (but not recommended)
• 12-15 characters: Good for most purposes
• 16+ characters: Excellent security
• 20+ characters: Maximum security for sensitive accounts

Character Diversity

Using multiple character types increases the search space for attackers:

• Lowercase only (26): Weak search space
• Lowercase + Uppercase (52): Better, but not sufficient
• Letters + Numbers (62): Good baseline
• All types (94+): Excellent search space

Unpredictability

Avoid predictable patterns that attackers commonly test:

• Dictionary words (even with substitutions like "p@ssw0rd")
• Sequential characters (abc, 123, xyz)
• Repeated characters (aaa, 111)
• Keyboard patterns (qwerty, asdfgh)
• Personal information (names, birthdays, phone numbers)
• Common passwords (password, 123456, letmein)

Password Entropy

Entropy measures the randomness and unpredictability of a password in bits. Higher entropy means stronger passwords.

Entropy (bits)	Strength	Example
< 28	Very Weak	8 lowercase letters
28-35	Weak	8 alphanumeric
36-59	Reasonable	10 mixed case alphanumeric
60-127	Strong	12+ mixed with symbols
> 128	Very Strong	20+ mixed characters

Crack Time Estimates

Modern GPUs can attempt billions of password combinations per second. Assuming 10 billion attempts per second:

Password Type	Length	Time to Crack
Lowercase only	8 chars	Instant (seconds)
Lowercase + numbers	8 chars	Minutes
Mixed case + numbers	8 chars	Hours
All characters	8 chars	Days
All characters	12 chars	Centuries
All characters	16 chars	Millions of years

Password Best Practices

Creating Strong Passwords

• Use a passphrase: Combine multiple random words (e.g., "correct-horse-battery-staple")
• Use a password manager: Generate and store complex passwords securely
• Make it memorable: Create a sentence and use first letters with substitutions
• Use random characters: Let password managers generate truly random passwords

Password Management

• Unique passwords: Never reuse passwords across services
• Regular updates: Change passwords periodically for sensitive accounts
• Multi-factor authentication: Enable 2FA/MFA whenever possible
• Secure storage: Use encrypted password managers, never plain text
• Don't share: Never share passwords via email, chat, or phone

What to Avoid

• Personal information (birthdays, names, addresses)
• Common substitutions (@ for a, 0 for o, etc.)
• Sequential keyboards or numbers
• Single words from the dictionary
• Previously breached passwords

For Developers

When implementing password requirements:

• Enforce minimum length: 12 characters minimum (16+ recommended)
• Check against breach databases: Use haveibeenpwned API
• Don't enforce complexity: Length is more important than character requirements
• Allow passphrases: Support spaces and long passwords (64+ chars)
• Hash properly: Use Argon2, bcrypt, or scrypt (never plain MD5/SHA)
• Rate limit attempts: Prevent brute-force attacks
• Never store plain text: Always hash with salt