People are surprisingly bad at creating secure passwords — not because they're careless, but because human intuition about what makes a password strong is almost exactly wrong. Substituting '@' for 'a' and adding '1' at the end feels clever. It isn't. Here's what actually matters.
Why Common Passwords Fail
Attackers use two main methods: dictionary attacks (trying common words, known patterns, and popular substitutions) and brute force (trying every combination). Predictable substitutions — '3' for 'e', '@' for 'a', capitalising the first letter — are all built into modern cracking software. They add almost no real security.
Our random string generator creates genuinely random character sequences with no patterns. Our UUID generator provides another source of unpredictable unique identifiers.
Password Entropy: The Real Measure
Entropy measures unpredictability in bits. Formula: H = L × log₂(N), where L = length and N = character set size.
- 4-digit PIN: ≈13 bits (cracked instantly)
- 8-char lowercase only: ≈37.6 bits (cracked in minutes)
- 12-char mixed case + numbers + symbols: ≈78.9 bits (years)
- 16-char random: ≈105 bits (effectively uncrackable)
Length Beats Complexity
A 20-character lowercase random string is significantly harder to crack than an 8-character "complex" password. Length is the primary driver of security, not the mix of character types. "correcthorsebatterystaple" — four random common words — has more entropy than most 8-character "complex" passwords.
Use a Password Manager
The objection: "I can't remember a 20-character random string." You're right — and you shouldn't try to. Use a password manager (Bitwarden, 1Password, KeePass). It remembers every password; you remember one strong master password. Unique, random passwords for every account — the gold standard.
The Real Threat: Credential Stuffing
Most account compromises don't involve cracking at all. Your email and password from a 2012 forum breach gets tried against banking, email, and social media. If you reuse passwords, one breach compromises everything. Unique passwords per account — the whole point of a password manager — eliminates this risk entirely.
Two-Factor Authentication
Even a perfect password can be phished. 2FA — typically a code from your phone — means a stolen password alone isn't enough. Enable it on every account that offers it, especially email and banking.
Further reading: The NCSC publishes evidence-based password guidance. Read NCSC's password guidance.