How to Create a Strong Password (Why Length Beats Complexity)
8 min read · Updated 2026-06-18
You have seen the advice: use uppercase letters, lowercase letters, numbers, and special characters. Many websites enforce it. Yet security researchers have known for years that this guidance often backfires, producing predictable substitutions like "P@ssw0rd!" that crack almost as quickly as "password." The fundamental metric of password security is entropy — and length contributes far more to it than character variety.
What Is Password Entropy?
Entropy in the context of passwords means unpredictability — how hard it is for an attacker to guess your password by trying combinations systematically. It is measured in bits: each additional bit of entropy doubles the number of guesses required.
The formula is simple: entropy = log₂(possible characters) × password length. A password drawn from 26 lowercase letters only has log₂(26) ≈ 4.7 bits per character. Expanding to 94 printable ASCII characters gives log₂(94) ≈ 6.6 bits per character. Adding length multiplies entropy: a 20-character lowercase password has more entropy (94 bits) than a 10-character mixed-symbol password (66 bits).
Why Complexity Rules Often Fail
When forced to include a symbol, most people pick predictable ones: ! at the end, @ as a substitute for a, $ for s, 1 or 0 for o. Modern cracking tools (based on real-world password breach databases) test these substitution patterns automatically. A password like "D0g!2024" might meet complexity requirements but falls almost instantly to a rules-based cracking attack because the pattern is so common.
The 2017 NIST Digital Identity Guidelines (SP 800-63B) explicitly moved away from mandatory complexity rules, recommending instead that organizations focus on password length and check against known-compromised password lists. Many security-conscious organizations have updated their policies accordingly.
Passphrases: Memorable and Strong
A passphrase is a sequence of random words: "correct horse battery staple" (famously illustrated by XKCD #936). Four random common English words from a 2000-word list give roughly 44 bits of entropy. Six words give roughly 66 bits. A six-word passphrase is far harder to crack than "P@ssw0rd!" and dramatically easier to remember.
The key word is "random." Passphrases only work if the words are chosen randomly, not based on a phrase you already know. "I love my cat Fluffy" is not a secure passphrase — it is a sentence that reflects personal information, which narrows the search space dramatically.
How Attackers Try to Crack Passwords
Dictionary Attacks
Attackers start with lists of real passwords from data breaches (billions of real passwords have been exposed and compiled into cracking wordlists), common words, and known substitution patterns. These attacks are extremely fast for short, predictable passwords.
Brute Force Attacks
If dictionary attacks fail, attackers try every combination systematically. Modern GPU clusters can test billions of password hashes per second. At 10 billion guesses per second, a 6-character mixed-case password (52 characters × 6 positions = 19.8 billion combinations) falls in about 2 seconds.
Credential Stuffing
If your email-and-password combination was exposed in a data breach (have I been pwned? can check), attackers try it on every major service automatically. This is why reusing passwords across services is catastrophically risky — one breach compromises all your accounts.
Practical Password Recommendations
- Use a unique password for every account — password reuse is the biggest practical risk
- Make passwords at least 16 characters long for important accounts
- Use a password manager (Bitwarden, 1Password, KeePass) to remember them all
- Generate passwords randomly, either with a tool or your password manager
- Enable two-factor authentication (2FA) wherever available — it matters more than password complexity for many attacks
- Never use personal information (names, birthdays, pet names) in passwords
Generate a Strong Random Password
How Long Should Passwords Be in 2026?
For most online accounts protected by a rate-limiting login page: 12+ characters of random characters is sufficient. For accounts where the password hash might be stolen (allowing offline cracking): 16–20+ characters. For high-value accounts like your email, password manager master password, and bank: use the longest password the service allows, stored only in your memory or your password manager.
Frequently asked questions
Is a 12-character password strong enough?
A 12-character random password using uppercase, lowercase, digits, and symbols has about 79 bits of entropy. This is computationally infeasible to crack by brute force and strong against most practical attacks. For very high-value accounts, 16–20 characters provides a larger margin.
Is a passphrase better than a random password?
A long random passphrase (6+ words) provides comparable or superior entropy to a complex short password and is easier to memorize. However, if you use a password manager, there is no memorability benefit to a passphrase — a fully random 16+ character string is just as good and simpler to generate.
Should I change my passwords regularly?
Modern guidance (NIST SP 800-63B) recommends against forced periodic password changes, which tend to produce predictable incremental modifications ("Password1" → "Password2"). Instead, change passwords promptly when a service reports a breach or when you suspect compromise.
Does using symbols make a password significantly stronger?
Modestly. Expanding from 62 characters (letters + digits) to 94 characters (all printable ASCII) adds about 0.6 bits of entropy per character. Adding just 2 more characters to the password length provides more entropy than switching from alphanumeric-only to full symbol use.
What makes a bad password even if it is long?
Length only helps if the password is unpredictable. "aaaaaaaaaaaaaaaaaa" is 18 characters but zero entropy. Lyrics, quotes, personal information, and keyboard patterns (qwertyuiop) are also weak regardless of length because they are tested early by cracking tools.