What Makes a Strong Password

Password Strength In 2019 Hero

Password “strength” is understood by most folks to be determined by the variety of character types in a password. But while signup forms might think complexity is security, attackers disagree. Complexity no longer defends against a modern threat model. What makes strong passwords? We need to first examine the actual threat model faced by most folks.

Password Complexity Misses the Point

Password “strength” is often just a function of complexity, or the amount of randomness in a password, measured by the use of symbols, numbers, and upper and lowercase. But adding a few different characters to your password doesn’t meaningfully increase its “strength,” despite what that deceptive green “strength” bar next to your password suggests. Complexity increases the difficulty of a brute force attack, but that sort of attack is uncommon.

Instead, credential theft happens in massive data heists or leaks from large organizations. Password strength won’t help you if the attackers have your password in plain text.

Use Unique Passwords

Most folks are hugely vulnerable to something called “credential stuffing”: compromised credentials are tried on popular platforms to exploit the human tendency for password reuse. That’s a far greater danger than a “weak” password. After all, one “super strong,” completely random password reused on every platform would become disastrous after one leak.

Rather than thinking of password strength as a singular property, we need to think of the strength of your authentication system. Modern passwords create that system and must be considered as such. Using unique passwords is far easier with a password manager, so get started with one today if you haven’t already.

Length Is More Important than Complexity

For years we’ve been trained to think of complexity as a password’s most important factor. And while we know brute force attacks are rare, complexity isn’t even the best defense against brute force cracking: length is actually far more important.

Password Strength In 2019 Xkcd Comic
XKCD shows that the length of password is what matters.

Password length has an exponential relationship with cracking time, so moderate increases in length can yield massive increases in cracking time. Complexity, on the other hand, has a more linear relationship with cracking time.

Take this example: A high-performance cracking machine can break a complex-looking password like *nRyU86) in as little as eighty minutes. Increasing the length by a single uppercase letter stretches that time to nearly thirth-six hours, while changing a letter to a symbol provides no meaningful change in cracking time.

Let’s take full advantage of length’s exponential powers. What about a four-word passphrase, using known dictionary words and totaling sixteen characters in length? Even when accounting for dictionary attacks (attacks that use a database of known words to guess passwords instead of randomly generating guesses), it would still take ninety billion years to crack the password.

Password Strength In 2019 Cracking Time Table

Forget complexity. The best passwords are actually pass-phrases. You could never remember a similarly-strong complex password. But brains love funny stories and surprising images. If you generate an absurdly memorable story for a randomly-generated phrase, you’ll have a hard time forgetting it.

Truly random pass-phrase generation is critical. Choosing words related to yourself, like your birth month, will make the passphrase easier to guess. Use EFF’s Password Dice to generate random pass-phrases safely and securely.

Turn on All Two-Factor Authentication Systems

All systems leak. Password strength won’t save you. So how can you defend yourself? Two-factor authentication (2FA) systems provide an extra layer of security. 2FA asks for two types of credentials: something you know (i.e. your password) and something you have (i.e. your phone). In most 2FA systems, these codes are generated by a remote server. The server sends the active code to the user at login time.

Password Strength In 2019 Two Factor Authentication

Unfortunately, attackers can intercept SMS codes with relative ease through SIM-card cloning. To prevent this eavesdropping, generate codes on your mobile device with a 2FA app like Authy, Google Authenticator, or a password manager with 2FA support like 1Password.


The “strength” of a single password is a red herring. A strong system of authentication is more important. Leaks and data theft inevitably happen. Unique passwords keep the damage contained. Two-factor authentication can reduce the damage of stolen credentials to zero.

Alexander Fox Alexander Fox

Alexander Fox is a tech and science writer based in Philadelphia, PA with one cat, three Macs and more USB cables than he could ever use.


  1. “Length Is More Important than Complexity”
    Length also misses the point. If we continue your little table of time to crack a password to its end, it would supposedly take billions of year to crack a password consisting of 26 letters of the English alphabet. We both know that is ludicrous. Any even half-competent script kiddie would crack that password in minutes.

    Complexity doe shave its place in determining password strength. If you were to change some of the 26 letters to numbers and symbols, then the resulting password would take billions of years to crack.

    “The best passwords are actually pass-phrases. You could never remember a similarly-strong complex password.”
    It may take 90 billion years to crack a pass=phrase of four random words but how long will it take YOU to remember those four random words? And please do not mention a Password Manager because to unlock the PM you will need to remember a password or a pass=phrase.

    “All systems leak.”
    Including 2FA.

    “Two-factor authentication can reduce the damage of stolen credentials to zero.”
    Is that so? I suppose Equifax, Target, Yahoo should have used 2FA to protect their databases.

    1. Yes, definitely! I use 2FA with 1Password, which generates codes within the app. It generates and automatically pastes the correct 2FA code into the browser with the 1Password browser extension. You can also use SMS-based two-factor with any cell phone that gets text messages, but since SMS wasn’t designed with high security as a priority, there’s a chance someone else could eavesdrop on your connection and clone your 2FA codes if they were interested in doing so.

Comments are closed.