What Makes a Strong Password — and How to Remember Them

How Attackers Crack Passwords

Understanding the attack helps you understand the defence. The two main approaches are:

• Dictionary attacks: Automated tools try millions of words, common phrases, keyboard patterns (qwerty, 123456), names, and dates — often combined with common substitutions like replacing "a" with "@". If your password is a word you could find in a dictionary, or a predictable modification of one, it will be cracked in seconds.
• Brute-force attacks: The attacker tries every possible combination of characters. The time this takes depends on password length and character variety. A modern GPU can test billions of combinations per second against a leaked password hash.

Leaked password databases are sold on the dark web after major breaches. If you reuse a password across sites, one breach can compromise all of them.

Entropy: Why Length Beats Complexity

Password strength is measured in entropy — the number of bits of randomness. More entropy means more possible combinations an attacker must try. Length contributes more entropy than complexity.

Consider two passwords:

• Tr0ub4dor&3 — 11 characters, mixes upper/lower/digit/symbol. Looks complex but is based on a real word with predictable substitutions. Many cracking tools specifically try these patterns. Entropy: approximately 28 bits in practice.
• correct-horse-battery-staple — 28 characters, four random common words. Easy to say aloud, easy to type on a phone, memorable. Entropy: approximately 44 bits, despite containing only lowercase letters.

The second password is both stronger and easier to remember. This insight — championed by NIST's updated password guidelines since 2017 — changed how security professionals think about passwords.

The Rules That Actually Matter

• Length is the most important factor. Aim for at least 16 characters. For high-value accounts (banking, email, work systems) go to 20+ characters.
• Use random generation, not personal words. Birthdays, pet names, favourite teams, and addresses are easy for people who know you to guess, and they appear in targeted attacks and social engineering.
• Never reuse passwords. One password per site, every time. Reuse is the single biggest real-world password risk.
• Enable two-factor authentication (2FA) everywhere you can. Even a decent password is significantly safer with a second factor. Use an authenticator app (Google Authenticator, Authy) rather than SMS where possible — SIM-swap attacks can intercept SMS codes.

How to Manage Hundreds of Unique Passwords

The honest answer is: use a password manager. Tools like Bitwarden (free, open source), 1Password, or the built-in managers in iOS/Android/Chrome generate, store, and auto-fill strong unique passwords for every site. You only need to remember one strong master password.

If you prefer not to use a password manager, a practical alternative for important accounts is the passphrase method: pick 4–5 truly random words (use a dice or random word generator, not words you chose from memory) and separate them with a symbol or number. Write the passphrase on paper and store it somewhere physically secure — a locked drawer at home, not your phone notes app.

Myths That Do Not Improve Security

• Changing passwords regularly (without a breach). Forced periodic changes lead users to predictable patterns like adding a number at the end each time. NIST now recommends changing only when there is evidence of compromise.
• Complex symbols like @ instead of a. Cracking tools know these substitutions. Tr0ub4dor is not meaningfully harder to crack than Troubador.
• Using your password as the answer to security questions. Security questions are often weaker than the password itself. Use random gibberish as answers and store them in your password manager.

Generate a Strong Password Instantly

The SantoshTec Password Generator runs entirely in your browser — no data is sent to any server. You can choose the length, toggle character types, and copy the result with one click. For most purposes, a 20-character mix of letters, digits and symbols gives you protection that would take far longer than the age of the universe to brute-force.