How to Create Strong Passwords: Length and Complexity
A practical guide to creating strong passwords that resist cracking, covering length, complexity, common mistakes, and when to use a passphrase instead.
Why Password Length Matters More Than You Think
Length is the single most important factor in password strength. A 16-character password made of lowercase letters takes orders of magnitude longer to brute-force than an 8-character password with symbols. Every extra character multiplies the search space exponentially — adding one character is not a linear improvement, it is a compound one.
Most people underestimate how fast modern hardware cracks short passwords. A consumer GPU can test billions of guesses per second against common hashing algorithms. An 8-character password, even a complex one, can fall in hours. A 16-character password, even a simple one, can take centuries. Start there.
Complexity Helps, But Not the Way You Expect
Adding uppercase letters, numbers, and symbols expands the character pool, which raises the theoretical difficulty of a brute-force attack. The practical benefit depends entirely on whether your characters are distributed randomly. Substituting 'a' with '@' or adding a '1' at the end of a word does almost nothing — attackers have dictionaries for that.
True complexity means each character is independently random. 'Tr0ub4dor&3' is not random — it follows a predictable pattern. 'k9#Lm2!vQzXs' is closer. The difference is whether a human or an algorithm chose the characters. If you chose them, they are probably patterned.
Passphrases Are Long Passwords That Are Actually Usable
A passphrase strings together four or five random common words: 'correct horse battery staple' is the famous example. That is 25 characters with zero effort to remember. The randomness comes from the word selection, not the words themselves — which is why random selection matters. Picking words you like defeats the purpose.
Passphrases work best for master passwords, device logins, and anything you need to type regularly. For accounts managed by a password manager, fully random strings are fine because you never type them anyway. Match the format to the use case.
Common Mistakes That Undermine Good Intentions
Reusing passwords across accounts is the single biggest practical risk. One breach exposes every account that shares the password. The solution is not a better shared password — it is using a different password everywhere, which means a password manager is not optional.
Other common failures: using personal information like birthdays or pet names, meeting minimum requirements exactly rather than exceeding them, and storing passwords in a plain text file or browser without a master password. Each of these trades security for convenience in a way that attackers rely on.
Frequently asked questions
- How long should a strong password be?
- At least 16 characters for most accounts. For high-value accounts like email or banking, aim for 20 or more. Length gives you more protection per character than any other change you can make.
- Are random password generators actually safe to use?
- Yes, if they run locally in your browser without sending data to a server. Client-side generators produce cryptographically random output and never transmit your password. Avoid any generator that requires an account or sends results by email.
- Should I use a passphrase or a random password?
- Use a passphrase for anything you type manually — it is easier to remember and still very strong. Use a fully random password for anything stored in a password manager, where memorability is irrelevant.
- Do special characters make a big difference?
- They help, but only when placed randomly. Predictable substitutions like '3' for 'e' or '!' at the end are already in attacker dictionaries. Random placement of symbols on a long password adds real entropy; bolting them onto a word does not.