Why most password advice fails
Most password advice tells you to mix upper and lower case letters, numbers, and symbols, and never to reuse passwords. The advice is technically correct but practically incomplete. It produces passwords like "Spring2024!" that satisfy every rule on the clipboard in your IT department and still fall to a dictionary attack in under a minute. The attacker simply takes a list of leaked passwords, applies a few hundred common mutations — capitalize the first letter, append a year, swap the letter o for the digit 0 — and runs through billions of guesses per second on a modest GPU rig.
The real metric that matters is entropy: a measure of how many guesses an attacker would need in the worst case. Entropy comes from two things only, length and the size of the character pool. A 16-character password drawn from all 94 printable ASCII characters has roughly 105 bits of entropy. A 12-character password with the same pool has about 78 bits. Those 4 extra characters add 27 bits, which is a factor of about 130 million in difficulty. None of the standard rules mention this. They tell you to add a symbol, which adds perhaps 2 bits if the symbol is predictable.
The length-over-complexity principle
A long password made of simple words is stronger than a short password full of symbols, and it is dramatically easier to type and remember. The "correct horse battery staple" comic from 2011 made the point visually, and the math behind it has held up for fourteen years. Four random words drawn from a list of 2,048 common English words produce about 44 bits of entropy. That is comparable to a short complex password, but a human can hold it in working memory after one or two repetitions.
The practical implication is to prioritize length first. Aim for at least 16 characters for important accounts, and prefer 20 or more for the master password that protects your password manager. If you need a password you can type on a phone keyboard, use four or five unrelated lowercase words rather than three words decorated with punctuation. The punctuation buys you almost nothing once an attacker knows you used it, and the typing cost is real.
Entropy math, in real numbers
To plan seriously you need rough numbers. A modern offline attack against a fast hash like MD5 or unsalted SHA-1 can test somewhere between 10 billion and 100 billion guesses per second on consumer hardware. Against a deliberately slow hash like bcrypt with a cost factor of 12, the rate drops to a few thousand guesses per second on the same hardware. The hash function matters more than your password does — but you do not control the hash function, so you control length instead.
A 40-bit password (the four-word passphrase) survives an offline attack against a fast hash for minutes to hours, and against bcrypt for centuries. A 60-bit password survives a fast-hash offline attack for years. An 80-bit password is effectively uncrackable offline with current hardware. A 100-bit password is uncrackable with any realistic hardware projection for the next several decades. Aim for 70 bits or more for accounts that matter: that is roughly four random words plus one symbol and a number, or five random words alone.
The pass-phrase strategy that actually works
The strategy that survives both attackers and your own memory is the Diceware approach: pick words uniformly at random from a fixed list, using a source of randomness you trust. The Electronic Frontier Foundation published three wordlists in 2016 specifically for this purpose, ranging from 7,776 short words to a longer list of more memorable terms. Rolling five dice gives you a five-digit index into the list, and repeating the process four or five times gives you a passphrase with known entropy.
The reason this works where human-chosen "random" words fail is that humans are catastrophically bad at picking random words. Ask someone for a random noun and you will get "apple" or "computer" far more often than "anvil" or "rhubarb". Attackers know this and weight their dictionaries accordingly. A wordlist with a mechanical selection process removes that bias. The result is a password that is simultaneously stronger than "Tr0ub4dor&3" and easier to remember than the nine-character monster your bank insists on.
For accounts where typing is frequent, shorten the strategy to three words plus a separator and a number, accepting the lower entropy in exchange for convenience. For accounts where you almost never type the password because your manager fills it, go long: six or seven words, no punctuation needed.
Common mistakes that destroy strength
The first mistake is substituting characters in predictable ways. Replacing the letter o with the digit 0 and the letter e with the digit 3 is so common that every password cracker applies these substitutions automatically before trying the unmodified word. Adding a year to the end of a word is equally predictable. Adding an exclamation mark because the form requires a symbol adds essentially zero entropy, because attackers try the exclamation mark first.
The second mistake is reusing passwords across accounts. Once one site you used is breached — and most people have been in several breaches already — the attacker tries the same password on email providers, banks, and social media. Unique passwords per site are non-negotiable for any account you care about.
The third mistake is trusting security questions with truthful answers. Your mother's maiden name and the city you were born in are public record. Treat security questions as additional passwords: generate random strings, store them in your manager, and lie on every form. The fourth mistake is changing passwords on a schedule. Forced rotation produces worse passwords, not better ones, because users cycle through "Spring2024", "Summer2024", "Fall2024". Change a password when you have reason to suspect compromise, not because the calendar says so.
Multi-factor authentication: the second layer
A strong password is necessary but no longer sufficient. Multi-factor authentication (MFA) adds a second proof that you are who you say you are, and it defeats the most common attack: an attacker who has your password from a breach but does not have your second factor. Google reported in 2019 that enabling any form of MFA on an account blocked 100 percent of automated bot takeovers and 99 percent of bulk phishing attacks. The numbers are similar across every major provider that has published them.
The four factors are: something you know (a password), something you have (a phone, a hardware key), something you are (a fingerprint, a face), and somewhere you are (a trusted location). The strongest MFA combines two of these. A password plus a code from an authenticator app is the most common pairing and is dramatically better than a password alone. A password plus a hardware security key (FIDO2 / WebAuthn) is stronger still, because the key is bound to the specific website it is authenticating to, which makes phishing impossible.
Avoid SMS-based authentication where alternatives exist. SMS is sent over the SS7 telephony protocol, which has known interception vulnerabilities, and SIM swap attacks — where an attacker convinces your mobile carrier to port your number to a new SIM — let an attacker receive your codes without your phone. TOTP apps (Google Authenticator, Authy, Aegis, 1Password's built-in TOTP) generate the same codes without the SMS vulnerability. Hardware keys are the gold standard. Whatever you choose, save the recovery codes the service gives you when you set up MFA; if you lose your second factor, those codes are your only way back in.
Storing passwords without reusing them
You cannot remember 100 unique strong passwords. Nobody can. The honest answer is a password manager: software that generates a long random password for every site, encrypts them all with one master password you do remember, and syncs the encrypted vault across your devices. The master password is the only one you need to type, and it should be a long passphrase rather than a short complex string.
If you refuse to use a manager, write your passwords down on paper and keep the paper somewhere physically secure. A notebook in your desk drawer is dramatically safer than reusing one password across fifty sites. The threat model for most people is remote attackers, not someone breaking into their house to read a notebook. For the few accounts that matter most — your primary email and your bank — consider hardware security keys (FIDO2 / WebAuthn) as a second factor, which defeats phishing entirely because the key will only sign in to the legitimate domain.
The other half of password hygiene is checking whether your passwords have already been leaked. The website Have I Been Pwned, run by security researcher Troy Hunt, indexes billions of breached credentials and lets you check whether yours appear in any known breach. If a password is in that database, treat it as burned and replace it everywhere you used it. No amount of complexity rescues a password that an attacker already has on a list.