Password Security Best Practices: How to Create Strong Passwords

Why Most Passwords Get Cracked (It's Not What You Think)

The dominant mental model most people have about password cracking — a hacker sitting at a terminal hammering through combinations until one works — is almost entirely wrong. The real threat is simpler, faster, and has nothing to do with how complex your password is.

Credential stuffing is responsible for the overwhelming majority of account takeovers. Here is how it works: a company gets breached, a database of email and password combinations leaks to the dark web, and automated software immediately begins trying those exact credentials against hundreds of other websites. No cracking required. The password is already known. The attacker is just checking whether you used the same one somewhere else.

The scale of these breaches is not abstract. In 2024, a compilation called RockYou2024 leaked approximately 10 billion unique credentials — email and password pairs accumulated from thousands of individual breaches over more than a decade. That single file contains credentials from services you have used, services you have forgotten you used, and services that have been breached without ever notifying you. When LinkedIn was compromised in 2012, 117 million accounts were exposed. Years later, those credentials were still being used to break into Dropbox, Netflix, and online banking accounts belonging to people who had never touched LinkedIn since 2012 but had never changed their passwords either.

The attack flow takes minutes once the breach data exists: download the credential list, run automated login software against Gmail, Amazon, Chase, PayPal, and a hundred other targets simultaneously, collect successful logins. No GPU farm needed. No mathematical complexity to defeat. Just automation and the near-universal human habit of reusing passwords.

How Password Cracking Actually Works

When passwords do get cracked rather than replayed from breach databases, three distinct attack methods are used, each targeting different types of vulnerability.

Brute Force

Brute force tries every possible combination in sequence: aaa, aab, aac, up through every character combination at the target length. Modern hardware makes this viable for short passwords at speeds that are genuinely staggering. A rig running eight RTX 4090 GPUs can test approximately 200 billion MD5 password hashes per second. Against an offline database of leaked hashed passwords, that speed is unconstrained — the attacker can try as many combinations as their hardware can generate.

At that speed, a 6-character lowercase password has an 8.7 billion combination space and falls in roughly 43 milliseconds. An 8-character password using only lowercase letters falls in under 2 minutes. The math turns decisively in the defender's favor only at longer lengths, which is why length matters more than any other single factor.

Dictionary Attacks

Dictionary attacks do not try every combination — they try the combinations humans actually choose. Breach databases from the past 20 years have given attackers an extraordinarily accurate picture of how people construct passwords. The patterns are consistent across cultures and demographics: a common word or name, followed by a birth year or short number string, optionally with a symbol appended or substituted.

Every known substitution is in the dictionaries: @ for a, 0 for o, 1 for l, 3 for e, $ for s. P@$$w0rd! is not a cleverly disguised password — it is a pattern that appears in attack dictionaries explicitly because it was a popular "secure" password for years. Attackers also have lists organized by keyboard patterns (qwerty, 123456, zxcvbn), sports teams with years, and first name plus birth year combinations pulled from social media. The practical reality is that humans are very bad at choosing randomly, and attackers have systematically documented exactly how bad.

Credential Stuffing

Credential stuffing requires no cracking at all. It takes a leaked email-password pair from one breach and tests it against other services automatically. SentinelOne's threat research found that credential stuffing attacks account for the majority of login traffic on many consumer platforms — more login attempts come from automated stuffing tools than from actual users. Services like Cloudflare have documented individual stuffing campaigns testing millions of credentials per hour against single targets.

This is the attack that makes reuse genuinely catastrophic. A mediocre password on a site with good security that eventually gets breached exposes every other account where you used that same password, regardless of how strong those other sites' security is.

The Math of Password Strength: Entropy Explained Simply

Password entropy is a measure of unpredictability expressed in bits. Higher entropy means more combinations an attacker must try. Each additional bit doubles the search space, which is why the relationship between password length and security is exponential, not linear.

Entropy = log₂(possible_characters ^ length)

Using 26 lowercase letters across 8 characters: log₂(26⁸) = 37.6 bits. Using the full 95 printable ASCII characters across 12 characters: log₂(95¹²) = 78.8 bits. That jump from 37.6 to 78.8 bits is not roughly double the security — it is approximately 100 billion times more search space.

Here is how different password types perform against modern hardware. Offline crack times assume 200 billion guesses per second against an MD5 hash. Online crack times assume proper rate limiting at around 100 to 1,000 attempts per second, which most legitimate services enforce.

The jump from 8 to 12 characters is not 50% more secure. Going from 52 bits to 72 bits of entropy means the attacker faces roughly one trillion times more combinations. Adding four characters to a password is not additive — it is multiplicative at every step.

One important caveat on the table: the crack times for offline attacks assume the hashing algorithm used is MD5 or a similarly fast algorithm. Sites using bcrypt, scrypt, or Argon2 — the algorithms responsible security-conscious companies actually use — reduce cracking speed to millions rather than billions per second, buying significant additional time. You cannot control which hashing algorithm a site uses, but the implication is that well-secured sites make even shorter passwords more resistant to offline attacks.

Length vs Complexity: The Settled Debate

The "make it complex" school of password advice — use uppercase, lowercase, numbers, and symbols — is not wrong, but it has been systematically outweighed by length as the dominant security factor. More importantly, forcing complexity rules often produces worse passwords by making them harder to remember, which drives reuse.

P@$$w0rd! looks complex. It has uppercase, lowercase, numbers, and symbols. Its actual entropy against a dictionary attack is roughly 20 to 30 bits because the base word is in every attack dictionary and every substitution pattern is documented. It provides false confidence while delivering weak actual security.

purple fish climbing radios has no uppercase, no numbers, and no symbols. Against a dictionary attack treating it as a phrase rather than individual words, it has 55 to 66 bits of entropy. It is stronger, memorable, and passes the actual threat model rather than the cosmetic complexity check.

NIST Special Publication 800-63B — the United States government's official password standard, which informs security requirements for federal systems and is widely adopted by the private sector — codified this in 2017 and has since reinforced it. The current NIST guidance explicitly recommends against forcing complexity rules, recommends against periodic password changes unless a compromise is suspected, recommends a minimum of 8 characters with strong preference for 15 or more, and recommends allowing passwords up to at least 64 characters. The guidance moved decisively toward length and uniqueness as the primary security factors.

Passphrases: When and How to Use Them

A passphrase is four to six random words combined into a single credential. The famous example from XKCD's 2011 comic — "correct horse battery staple" — is now so widely known that it appears in attack dictionaries and should not be used. The concept it illustrates, however, is sound.

The correct way to generate a passphrase is with actual randomness, not by thinking of four words yourself. Human "random" word selection is not random — people gravitate toward concrete nouns, avoid obscure words, and unconsciously create patterns that attackers model. The Diceware method uses a list of 7,776 words paired with rolls of a physical die. Four Diceware words produce approximately 51 bits of entropy. Six words produce approximately 77 bits — strong by any current standard.

Several good random word generators exist online. The cryptographic randomness in a properly implemented generator gives you the same statistical properties as Diceware without the physical dice.

Use passphrases for credentials you actually need to type and remember: your laptop login password, your phone's longer unlock code for high-security situations, and most critically, your password manager's master password. The master password needs to be both very strong and genuinely memorable — a 6-word Diceware passphrase is the correct solution for that specific use case.

Do not use passphrases for passwords you store in a password manager. For those, use fully random strings — 20-plus characters of mixed case, numbers, and symbols — that you never need to type or remember. The manager handles all of that.

Password Managers: The Non-Negotiable Tool

The fundamental problem with password security advice is that it asks people to remember dozens of unique, strong, random passwords. No human can do that reliably. Password managers solve this by requiring you to remember exactly one strong password while generating and storing unique random credentials for every other account.

Your password manager generates gK!3mXp9@LvQ2#nR for your Amazon account, TjW8$hN4!rM6&kP1 for your bank, and something equally random and unique for every other service. You never see those passwords, never type them, and never need to remember them. The manager fills them in automatically. If one site gets breached, only that one credential is exposed — not your Amazon account, not your bank, not your email.

The three password managers worth knowing in detail: Bitwarden is free, open source, has been independently audited, and syncs across all devices. Its source code is publicly available for inspection, which is a meaningful security property. 1Password is paid at roughly $3 per month, has an excellent user experience, and includes a Travel Mode feature that removes selected vaults from your device when crossing borders — a legitimate security feature for high-risk travelers. KeePass stores your database locally with no cloud sync by default, which means no third-party server ever holds your encrypted vault. It requires more technical comfort but provides maximum control.

The objection "but what if the password manager gets breached?" is real but misweighted. Password manager breaches have happened — LastPass suffered a significant one in 2022 that exposed encrypted vaults. However, encrypted vaults with strong master passwords and proper key derivation remain practically inaccessible to attackers even after a breach. The alternative — reusing passwords across 50 accounts — guarantees that a single breach of any one of those 50 services compromises all of them. One potential risk of a correctly implemented encrypted vault is categorically smaller than the certain risk of credential reuse at scale.

Two-Factor Authentication: Your Safety Net

Two-factor authentication means that compromising your password alone is not enough to access your account — the attacker also needs a second factor that only you possess. Even if your password appears verbatim in a breach database, a correctly configured second factor stops the account takeover.

The four types of 2FA, ranked by actual security:

Hardware security keys — physical devices like YubiKey or Google Titan that plug into USB or tap via NFC — are the gold standard. They are phishing-proof by cryptographic design: the key performs a challenge-response authentication tied to the specific domain, so a fake login page cannot capture a valid response. Phishing attacks that successfully steal authenticator app codes cannot steal hardware key authentication. For high-value accounts — email, banking, work systems — a hardware key is worth the $50 price.

Authenticator apps — Google Authenticator, Authy, Microsoft Authenticator — generate time-based one-time codes that expire every 30 seconds. They are significantly stronger than SMS and widely supported. Their weakness is that sophisticated phishing attacks can intercept codes in real time using reverse proxy tools like Evilginx, which sits between you and the legitimate site. This attack is not trivial to execute and requires a targeted effort, but it exists.

SMS codes are better than no 2FA but have a documented vulnerability: SIM swapping, where an attacker convinces your mobile carrier to transfer your number to a SIM they control, redirecting all SMS codes. This attack has been used successfully against crypto holders, celebrities, and executives. For accounts that only offer SMS as a second factor, use it — the protection is still meaningful — but migrate to an authenticator app when the option exists.

Recovery codes are an often-ignored component of 2FA setup. Every service generates a set of one-time recovery codes when you enable 2FA. These codes are your only way back into your account if you lose access to your 2FA device. Print them. Store them somewhere physically secure — not in your email, not in a notes app on your phone. People lose access to accounts permanently every day because they did not save their recovery codes. The setup screen for 2FA shows you these codes exactly once.

Enable 2FA on these accounts before any others: your email account is the master key to everything else — password resets for every service flow through it, which makes it the single highest-value target. Banking and financial accounts are second. Work accounts with access to company systems are third. Social media accounts follow, both for their own value and because they often authenticate into other services.

What to Do Right Now (5-Minute Security Upgrade)

These five steps, completed today, address the majority of the actual threat surface for most people.

1. Check your breach exposure

   Go to haveibeenpwned.com and enter your email address. Troy Hunt, a respected security researcher, maintains this database using data from verified breaches. If your email appears — and statistically it probably does — the site shows you which services were compromised and approximately when. Any password used on a breached service should be treated as fully compromised, regardless of how strong it was.

2. Change any exposed passwords immediately

   Prioritize email, banking, and any account you use for work. Make the new passwords unique to each service — even a random string you generate right now is sufficient as a placeholder until you set up a password manager.

3. Install Bitwarden today

   It is free, takes ten minutes to set up, and works on every device and browser. Create your account with a 6-word Diceware passphrase as the master password. As you log into sites over the next week, save each credential to the manager and let it generate a new, unique, random password for each one. You do not need to update everything at once — migrating incrementally over two weeks is fine.

4. Enable 2FA on your email account right now

   This single action provides more security improvement than any other change you can make in the next five minutes. Open your email account settings, find Security or Two-Step Verification, and enable an authenticator app. Save the recovery codes to a physical document.

5. Test and generate passwords locally

   Any password you type into a website that sends it to a server — even to "test its strength" — has potentially been logged. Tooliest's Password Security Suite runs entirely in your browser, meaning your password never leaves your device. Use it to generate strong random passwords and to audit existing ones without exposure risk.

The threat is real, the attacks are automated, and the defenses are not complicated. None of these changes take more than an hour to implement, and every day you delay is another day of unnecessary exposure.