X
🔑

What Actually Makes a Password Strong

Length beats symbols. The entropy math behind cracking times, what attackers really try first, and a system you can live with.

📅 Last updated: July 11, 2026⏱️ 6 min read✍️ By the Xnipertools team

Every password rule you've been nagged with — "one capital, one number, one symbol" — comes from a 2003 guideline that its own author later called a mistake. The modern consensus, including current NIST guidance, is simpler and easier to live with: length is what matters. This guide shows the arithmetic, so the advice isn't something you take on faith.

How password cracking actually works

Attackers almost never "guess" passwords on a login page — sites lock them out after a few tries. The real risk is offline cracking: a breached database of scrambled (hashed) passwords, tested by machines that can try billions of combinations per second. There are two attack styles:

The math: why length wins

A password's strength is its search space: (alphabet size)length. Adding symbols grows the alphabet (the base). Adding characters grows the exponent — and exponents always win. Assuming a strong attacker testing 100 billion guesses per second against properly random passwords:

PasswordSearch spaceTime to exhaust
8 chars, lowercase only268 ≈ 2×1011≈ 2 seconds
8 chars, all types (95 symbols)958 ≈ 6.6×1015≈ 18 hours
12 chars, lowercase only2612 ≈ 9.5×1016≈ 11 days
12 chars, all types9512 ≈ 5.4×1023≈ 171,000 years
16 chars, lowercase only2616 ≈ 4.4×1022≈ 13,800 years
16 chars, all types9516 ≈ 4.4×1031≈ 14 trillion years

Read the third row against the second: a 12-character password of nothing but lowercase letters already beats an 8-character password using every character type on the keyboard. That's the whole argument. Symbols help — but four extra characters help more than all the symbols combined.

The 2026 floor: 16+ characters for email, banking and anything holding your identity; 12 as the absolute minimum anywhere. All of it random — the math above only holds if the password isn't in a dictionary.

What attackers try first (never use these)

Two systems that actually work

1. Random passwords + a password manager

Let a manager remember 16–20 character random passwords, one per site. You memorise exactly one strong master passphrase. This is the strongest practical setup and what we use ourselves.

2. Passphrases for the ones you must type

For the master password, Wi-Fi, or a laptop login, chain 4–5 genuinely random words: lantern-cactus-orbit-plum. From a 7,000-word list, four random words ≈ 70004 ≈ 2.4×1015 — comparable to a strong random password, but typeable on a phone without rage. The words must come from a random picker, not from a sentence you'd naturally say.

Generate one now — locallyCryptographically random, created in your browser. Nothing leaves your device.
Open Password Generator →
Password Generator with length and character type controls
Our generator uses the browser's crypto API — the password is created on your device and never transmitted.

Beyond the password itself

FAQ

Is a longer password really better than a complex one?

Yes. Each extra character multiplies the search space; swapping a letter for a symbol only changes the multiplier slightly. A 16-character lowercase password is orders of magnitude stronger than an 8-character password using every character type.

How long should my password be in 2026?

16 characters or more for anything that matters, 12 as an absolute floor. At those lengths a properly random password is beyond practical brute force even against fast offline cracking rigs.

Are passphrases like four random words secure?

Yes — four to five truly random words from a large list gives similar strength to a 14–16 character random password and is far easier to type and remember. The words must be random, not a sentence you'd naturally say.

Is it safe to generate passwords online?

Only if the generator runs locally. Our Password Generator creates passwords in your browser using the cryptographic randomness API — nothing is sent to or stored on any server. Check any generator you use for the same claim.

Do I still need 2FA with a strong password?

Yes. A strong password does nothing if it leaks in a site breach or a phishing page captures it. Two-factor authentication is the layer that survives those events — enable it on email and banking first.

📖

Related guides

More tools