What Makes a Password Strong in 2026

Password strength reduces to a single concept: entropy, measured in bits. One bit of entropy means an attacker has a 50/50 guess. Every additional bit doubles the search space.

The formula is straightforward: if your password draws from an alphabet of N symbols and has length L, the entropy is log2(N^L) = L × log2(N) bits.

• Lowercase only (26 chars): each character adds 4.7 bits
• Mixed case (52 chars): each character adds 5.7 bits
• Full printable ASCII (95 chars): each character adds 6.6 bits

A modern GPU cluster running bcrypt at moderate cost can test around 100,000 hashes per second. An MD5-hashed password database — still common in leaked datasets — can be attacked at 100 billion guesses per second on commodity hardware. At that rate, 40 bits of entropy falls in under 3 hours. 60 bits takes about 36 years. 80 bits is effectively unbreakable for any attacker without nation-state budgets.

The practical takeaway: aim for at least 70–80 bits of entropy for any account you care about.

Compare two passwords: P@ssw0rd! (9 characters, full ASCII alphabet) versus correcthorsebatterystaple (25 lowercase characters).

• P@ssw0rd!: 9 × 6.6 = 59.4 bits — but it matches a known leet-speak pattern, dropping real-world entropy far lower
• correcthorsebatterystaple: 25 × 4.7 = 117.5 bits — and it matches no dictionary pattern

The 9-character password feels strong because it has symbols and a capital letter. It is not. Crackers have extensive rule sets — capitalize the first letter, substitute 3 for e, append an exclamation mark — that enumerate those transformations in milliseconds.

Adding one more character to a password is always more valuable than switching a letter to a symbol, because length multiplies entropy while complexity only adds a constant increment.

Attackers do not randomly guess characters. They work through a hierarchy of increasingly expensive attacks:

1. Credential stuffing — trying username/password pairs from previous breaches directly. No cracking required. This is why password reuse is catastrophic.
2. Dictionary attacks — wordlists of millions of common passwords, proper nouns, and phrases from leaked databases like RockYou (14 million entries) and Have I Been Pwned (over 10 billion hashes).
3. Rule-based mutation — applying transformation rules to dictionary words: capitalization, leet substitutions, appending years (2024, 2025, 2026), prepending/appending symbols. Tools like Hashcat ship with thousands of such rules.
4. Markov chain and PCFG attacks — statistical models trained on real passwords that generate guesses weighted by how humans actually construct passwords. These catch patterns like adjective + noun + number.
5. Brute force — only used for short passwords (under 10 characters) or when other methods fail. At 95^8 combinations, an 8-character full-ASCII password has roughly 7 quadrillion possibilities — sounds large, but hardware handles this in hours for weak hash algorithms.

The implication: any password that follows a predictable human pattern — even a complex-looking one — is far weaker than its raw character count suggests.

A passphrase strings together random words. The EFF large wordlist contains 7,776 words (6 dice rolls selects one word). Each word adds log2(7776) ≈ 12.9 bits of entropy.

• 4-word passphrase: 51.7 bits — marginal for high-value accounts
• 5-word passphrase: 64.6 bits — acceptable for most sites with a good hash
• 6-word passphrase: 77.5 bits — strong against any realistic attack

The critical requirement is random selection — rolling dice or using a generator, not picking words yourself. Human-chosen passphrases cluster around familiar words and phrases, which attackers already model. sunshine-mountain-coffee is a terrible passphrase. Six randomly selected words from a 7,776-word list is not.

Passphrases have a practical advantage: they are easier to type and remember than xK9#mQ2$vL, which means users are less likely to write them down or reuse them.

The human brain cannot memorize unique 80-bit-entropy passwords for 200 accounts. Anyone claiming otherwise is either reusing passwords or writing them down insecurely. A password manager solves this by requiring you to remember exactly one strong master password while generating and storing cryptographically random passwords for everything else.

What to look for in a password manager:

• Zero-knowledge architecture — the provider never sees your vault in decrypted form. Your master password never leaves your device.
• Open-source or independently audited — closed-source security claims are unverifiable.
• Support for TOTP/2FA — a strong password plus a second factor stops credential stuffing even when your password is leaked in a breach.
• Breach monitoring — automatic alerts when a stored credential appears in known leaked databases.

The master password for your manager should be a long, randomly generated passphrase — 6 to 8 words minimum. It needs to be something you can type from memory, because losing access to your manager without the master password is a genuine recovery problem.

Synthesizing the above into actionable guidance:

• Minimum 16 characters for any account; 20+ for email, banking, and password manager master passwords.
• Use a generator — human-chosen passwords are predictably patterned. Let a tool provide real randomness.
• Never reuse passwords — once a site is breached, every account sharing that password is compromised. Credential stuffing attacks are automated and immediate.
• Enable 2FA everywhere it is offered — time-based one-time passwords (TOTP) render stolen passwords useless without physical access to your second factor.
• Check for breaches — services like Have I Been Pwned index billions of leaked credentials. If your password appears there, it is worthless regardless of its theoretical entropy.
• Avoid periodic forced rotation — forcing password changes every 90 days causes users to make predictable incremental changes (Password1 → Password2). Change passwords when there is a specific reason: a breach, a shared account split, a suspected compromise.

The password generator on this page creates cryptographically random strings using your specified length and character set, with an entropy readout so you can see exactly what you are getting. Set the length to 20 or more, enable all character classes, and store the result in your password manager.