A password is secure when it is computationally infeasible to guess within any practical timeframe. The two factors that matter most are length and randomness. Complexity rules (you must have a number and a symbol) are less important than pure length.
The Five Rules for a Secure Password
- Length over complexity. A 20-character password with only lowercase letters is much harder to crack than an 8-character password with numbers and symbols.
- True randomness. Patterns (substituting 3 for e, adding 1 at the end) are predictable. Use a random generator.
- Unique per account. If one site is breached, credential stuffing attacks will try your password on every other site. Unique passwords contain the damage.
- No personal information. Name, birthday, pet, team, and city are all in your social media profile and will be tried first.
- Stored in a password manager. The only secure way to have unique passwords on 100+ sites is a manager. Do not rely on memory patterns.
Password Strength by Length (Brute Force)
| Length | Character Set | Crack Time (100 billion guesses/sec) |
|---|---|---|
| 8 chars | Lowercase only | Under 1 minute |
| 8 chars | Mixed case + numbers + symbols | A few hours |
| 12 chars | Mixed + symbols | Centuries |
| 16 chars | Mixed + symbols | Astronomically long |
| 20 chars | Random anything | Effectively uncrackable |
Are Three-Word Passwords Secure?
Yes, if they are truly random words (not a familiar phrase). A passphrase like "correct-horse-battery-staple" has 44 bits of entropy from the randomness of the four words. Add length or more random words to increase security.
People Also Ask
- What is the most hacked password?
- "123456" remains the most commonly breached password globally, followed by "password," "123456789," and "qwerty." These are cracked in milliseconds.
Related: Create strong passwords | Password entropy | Password Strength Checker