Why Most Passwords Are Weaker Than You Think
Every year, security researchers publish lists of the most commonly used passwords. Every year, the results are the same: "123456", "password", "qwerty", and variations of people's names and birthdays dominate the top spots. These passwords can be cracked in under a second by modern tools. Yet millions of people continue to use them, often for accounts that hold sensitive financial, medical, or personal information.
The uncomfortable truth is that most people never learned what makes a password strong โ and why it matters so much more today than it did ten years ago.
How Attackers Actually Crack Passwords
Understanding the threat helps you make smarter choices. Attackers use several different methods to crack passwords:
- Dictionary attacks โ Automated tools try every word in a dictionary, plus common substitutions (p@ssw0rd, s3cur1ty). These crack simple "word-based" passwords in seconds.
- Brute force โ The tool tries every possible combination of characters. A 6-character password using only lowercase letters has just 308 million possibilities โ crackable in minutes on modern hardware.
- Credential stuffing โ Attackers take username/password pairs leaked from one data breach and automatically try them on hundreds of other services. If you reuse passwords, one breach compromises everything.
- Phishing โ No technical cracking needed. A convincing fake login page tricks you into handing over your password directly.
What Makes a Password Actually Strong?
Password strength is primarily determined by two factors: length and randomness.
Length matters enormously. A 12-character password is not twice as hard to crack as a 6-character password โ it is approximately 19 billion times harder, because the number of possibilities grows exponentially. Each additional character multiplies the difficulty.
Randomness matters because predictable patterns โ capitalising the first letter, ending with "1!", substituting @ for a โ are already built into attacker dictionaries. "P@ssw0rd" is not more secure than "password" in any meaningful way; both are cracked instantly.
A genuinely strong password for most accounts needs to be:
- At least 16 characters long
- Truly random โ not based on words, names, dates, or patterns
- Using a mix of character types: uppercase, lowercase, numbers, and symbols
- Unique โ never reused across multiple accounts
The Problem: Strong Passwords Are Impossible to Remember
Here lies the dilemma. A genuinely random 16-character password looks something like this: kR7#mQv2!xLpT9wN. No one can memorise dozens of these for every account they use. So people fall back on weak, memorable passwords โ and the problem perpetuates itself.
The solution is not to try harder to remember strong passwords. The solution is to stop trying to remember passwords at all.
Password Managers: The Real Solution
A password manager is an application that generates and stores strong, unique passwords for every account you have. You remember one master password to unlock the manager; the manager handles everything else.
Popular password managers include Bitwarden (free and open source), 1Password, Dashlane, and the built-in managers in browsers like Chrome and Safari. They work across all your devices, autofill login forms, and alert you when a password appears in a known data breach.
With a password manager, you can use a different 20-character random password for every single account without ever needing to remember any of them โ except the one master password to rule them all.
Choosing a Good Master Password
Your master password is the one password you must remember and must never forget. The best approach is a passphrase: four or more random, unrelated words strung together. Something like "purple-hammer-orbit-lemon" is long (24 characters), random enough to resist cracking, and far easier to remember than a string of random characters. Add capitalisation and a symbol and it becomes even stronger: "Purple-Hammer-Orbit-Lemon7".
Two-Factor Authentication: The Second Layer
Even the strongest password can be phished. Two-factor authentication (2FA) adds a second verification step โ usually a time-based code from an app like Google Authenticator or Authy, or a hardware key like a YubiKey. With 2FA enabled, stealing your password alone is not enough to access your account.
Enable 2FA on every account that supports it, starting with email, banking, and social media.
Quick Reference: Password Strength by Type
- "password", "123456", your name โ Cracked in under 1 second
- 8-character mixed case + numbers โ Cracked in minutes to hours
- 12-character truly random โ Cracked in years (currently)
- 16+ character truly random โ Effectively uncrackable with current technology
Use our free Password Generator to generate cryptographically random passwords of any length instantly in your browser. Nothing is transmitted or stored.