What Makes a Strong Password? Length, Complexity, and Best Practices

← Back to Blog

Despite decades of security advice, the most commonly used passwords in the world are still 123456, password, and qwerty. Meanwhile, many people who try to create "strong" passwords end up with predictable patterns like P@ssw0rd123 that give a false sense of security. Let us examine what actually makes a password strong and how to create one that would take centuries to crack.

Why "P@ssw0rd123" Is Terrible

On the surface, P@ssw0rd123 looks decent: it has uppercase, lowercase, a number, a symbol, and it is 11 characters long. But it is based on a dictionary word with predictable substitutions that every password cracking tool already knows about:

a → @ (the most common substitution)
o → 0 (the second most common)
Appending 123 (the most common numeric suffix)

Password cracking tools like Hashcat and John the Ripper include rules that automatically apply thousands of these substitutions and patterns. A password like P@ssw0rd123 can be cracked in seconds, not years.

Common patterns that crackers test first: Dictionary words with letter-to-symbol swaps, words followed by 1-4 digits, capitalized first letter, "!" or "1" appended at the end, keyboard patterns (qwerty, 123456, zxcvbn), and repeated characters.

Length vs. Complexity: Why Length Wins

There is a common misconception that complexity (mixing symbols, numbers, uppercase) matters more than length. In reality, length is far more important. Here is why:

The time to brute-force a password grows exponentially with each additional character. A password using only lowercase letters (26 possible characters per position) becomes dramatically harder to crack with each additional character:

8 characters (lowercase only): ~209 billion combinations
12 characters (lowercase only): ~95 quadrillion combinations
16 characters (lowercase only): ~43 sextillion combinations

Each additional character multiplies difficulty by 26x

Adding complexity (uppercase, numbers, symbols) increases the character set from 26 to roughly 95 printable characters. This helps, but not as much as adding length. A 16-character lowercase password is stronger than an 8-character password with full complexity.

The math: An 8-character password using all 95 printable characters has 95^8 = 6.6 quadrillion combinations. A 16-character lowercase-only password has 26^16 = 43.6 sextillion combinations. The longer password is over 6,000 times harder to crack, despite being "less complex."

The Recommended Minimum: 16+ Characters

Security experts in 2026 recommend a minimum of 16 characters for passwords that protect important accounts. For your master password (which protects all other passwords), 20+ characters is ideal. Here is a general guide:

8 characters — Minimum for low-value accounts. Can be cracked in hours to days with modern hardware.
12 characters — Reasonable for most online accounts when combined with complexity.
16 characters — Strong. Would take centuries to brute-force with current technology.
20+ characters — Excellent. Recommended for master passwords and high-value accounts.

Mix of Character Types

While length is the primary factor, using a mix of character types increases the search space that an attacker must cover:

Lowercase letters (a-z) — 26 characters
Uppercase letters (A-Z) — 26 characters
Numbers (0-9) — 10 characters
Symbols (!@#$%^&*) — ~33 characters

Using all four types gives you a character set of ~95 possibilities per position. Combined with 16+ characters of length, this creates passwords that are computationally infeasible to crack through brute force.

Passphrases: The Best Approach for Memorized Passwords

For passwords you need to remember (like your master password), passphrases are the gold standard. A passphrase is a sequence of 4 or more random words strung together:

"correct horse battery staple" — 28 characters, easy to remember
"umbrella glacier notebook volcano" — 34 characters, very strong
"midnight7 crystal & penguin forest" — with numbers/symbols, even stronger

The key is that the words must be truly random, not a meaningful phrase. "I love my dog Max" is a terrible passphrase because it follows natural language patterns. Use a random word generator (like Diceware) to select words from a large dictionary.

A 4-word passphrase chosen from a 7,776-word list (standard Diceware) provides approximately 51 bits of entropy. A 5-word passphrase provides about 64 bits. Adding a random number or symbol between words pushes this even higher.

How to create a strong passphrase: Pick 4-5 random words (use Diceware or a random generator, NOT words you choose yourself). Add a number or symbol somewhere in the middle. The result is long, strong, and memorable: marble9Telescope&canyon

What to Avoid

Certain types of passwords are weak regardless of length or apparent complexity:

Dictionary words — Single words, even with substitutions, are trivially cracked. "Sunshine" and "$unsh1ne" are both weak.
Personal information — Names, birthdays, pet names, addresses. These are easily found on social media and are the first things attackers try.
Keyboard patterns — qwerty, asdfgh, 123456, zxcvbn. Every cracking tool tests these immediately.
Common passwords — password, letmein, welcome, admin. Published lists of the top 10,000 passwords are tested first in any attack.
Repeated characters — aaaaaa, 111111, abcabc. Zero entropy.
Sequences — abcdef, 123456, fedcba. Trivially predictable.
Previous passwords with minor changes — Incrementing a number (MyPass1 to MyPass2) is one of the first mutations attackers test.

Password Strength Estimation

A good password strength meter does not just count character types. It analyzes patterns, checks against known breached passwords, and estimates the actual time to crack. Key factors include:

Entropy — The mathematical measure of randomness. Higher entropy means harder to crack.
Pattern detection — Identifying dictionary words, keyboard sequences, dates, and common substitutions.
Breach database checks — Verifying the password has not already appeared in known data breaches.

Do not trust simple strength meters. Many website password meters only check length and character types. A meter that says P@ssw0rd1! is "strong" is misleading. Use a password manager's built-in strength estimation, which considers real-world cracking patterns.

How the UnveilPass Generator Creates Strong Passwords

The UnveilPass password generator creates cryptographically random passwords using your browser's built-in random number generator (Web Crypto API). You control the length and character types. Every generated password is unique and has no connection to your personal information, dictionary words, or patterns.

For accounts where you do not need to remember the password (which is most of them, since the password manager remembers for you), a 16-20 character generated password with all character types is ideal. For your master password, use a passphrase instead.

Use the UnveilPass Password Generator

Generate strong, random passwords instantly. Stored in your zero-knowledge encrypted vault. Never reuse a weak password again.

Get Started Free

The Bottom Line

A strong password is long, random, and unique to each account. Length matters more than complexity. Passphrases are the best approach for passwords you need to remember. For everything else, use a password generator. And never, ever reuse a password across sites — no matter how strong it is.