My approach to password security changed considerably once I understood what made a password genuinely difficult to crack rather than just difficult for me to remember.
People are surprisingly bad at creating secure passwords — not because they're careless, but because human intuition about what makes a password strong is almost exactly wrong. Substituting '@' for 'a' and adding '1' at the end feels clever. It isn't. Here's what actually matters.
Why Common Passwords Fail
Attackers use two main methods: dictionary attacks (trying common words, known patterns, and popular substitutions) and brute force (trying every combination). Predictable substitutions — '3' for 'e', '@' for 'a', capitalising the first letter — are all built into modern cracking software. They add almost no real security.
Our random string generator creates genuinely random character sequences with no patterns. Our UUID generator provides another source of unpredictable unique identifiers.
Password Entropy: The Real Measure
Entropy measures unpredictability in bits. Formula: H = L × log₂(N), where L = length and N = character set size.
- 4-digit PIN: ≈13 bits (cracked instantly)
- 8-char lowercase only: ≈37.6 bits (cracked in minutes)
- 12-char mixed case + numbers + symbols: ≈78.9 bits (years)
- 16-char random: ≈105 bits (effectively uncrackable)
Length Beats Complexity
A 20-character lowercase random string is significantly harder to crack than an 8-character "complex" password. Length is the primary driver of security, not the mix of character types. "correcthorsebatterystaple" — four random common words — has more entropy than most 8-character "complex" passwords.
Use a Password Manager
The objection: "I can't remember a 20-character random string." You're right — and you shouldn't try to. Use a password manager (Bitwarden, 1Password, KeePass). It remembers every password; you remember one strong master password. Unique, random passwords for every account — the gold standard.
The Real Threat: Credential Stuffing
Most account compromises don't involve cracking at all. Your email and password from a 2012 forum breach gets tried against banking, email, and social media. If you reuse passwords, one breach compromises everything. Unique passwords per account — the whole point of a password manager — eliminates this risk entirely.
Two-Factor Authentication
Even a perfect password can be phished. 2FA — typically a code from your phone — means a stolen password alone isn't enough. Enable it on every account that offers it, especially email and banking.
Further reading: The NCSC publishes evidence-based password guidance. Read NCSC's password guidance.
What Determines Password Strength
Password strength is measured by the number of guesses an attacker would need to crack it. This depends on two things: the size of the character set (how many possible characters at each position) and the length. A 12-character password drawn from lowercase letters only (26 characters) has 26¹² possible combinations — about 95 billion. The same 12-character password drawn from lowercase, uppercase, numbers, and symbols (around 95 characters) has 95¹² — about 540 quadrillion — roughly 5.7 million times more combinations. Length has an even larger effect: each additional character multiplies the search space by the size of the character set.
Why Common Password Patterns Fail
Dictionary-based attacks do not try random combinations — they try known words and common patterns first. "Password1!" fails immediately not because it lacks uppercase, number, or symbol characters, but because it follows a pattern that appears near the top of every password-cracking dictionary. Substituting letters with similar-looking numbers — @ for a, 3 for e, 0 for o — was an effective technique in the 1990s and is now trivially defeated because these patterns are themselves catalogued. The same applies to appending numbers or special characters at the end of a word.
The Case for Random Generation
Human-generated passwords are predictably patterned. People choose words they can remember, add numbers they find significant, and place special characters at the end. Attackers know this. A randomly generated password drawn from a large character set is structurally different — it has no pattern to exploit. A 16-character random password from a 95-character set cannot be cracked by any currently existing hardware within any realistic timeframe. The practical problem is memorability, which is where a password manager becomes the essential companion to a strong random password.
Password Managers and Storage
A password manager stores randomly generated passwords in an encrypted vault accessed by one strong master password. This allows a different strong random password for every account without requiring you to remember any of them. The security model shifts from memorising many passwords to protecting one. If that one master password is strong and your device is not compromised, your password security is substantially better than any approach based on memorable passwords. Password managers are widely recommended by security professionals precisely because they resolve the memorability-strength trade-off that leads most people to create weak passwords.