How to Create Strong Passwords — Understanding Strength and Best Practices

The Current State of Password Security

As online services continue to multiply, passwords remain the front line of account protection. However, many users still rely on short, easily guessable passwords and reuse them across multiple services.

Analysis of password databases leaked in data breaches reveals that the top entries are consistently weak choices like "123456," "password," and "qwerty." Attackers are well aware of these tendencies and try the most common passwords first.

Common Attack Methods

Understanding the main attack methods used to crack passwords is the first step toward effective defense.

Brute Force Attack

This method systematically tries every possible combination of characters. The shorter the password, the dramatically shorter the time needed to crack it.

Password Length	Lowercase Only	Upper + Lower + Numbers + Symbols
4 characters	Seconds	Minutes
8 characters	Hours	Years
12 characters	Thousands of years	Millions of years
16 characters	Astronomical	Virtually impossible

As this table shows, password length is the most important defensive factor.

Dictionary Attack

This method uses word lists containing common dictionary words and frequently used passwords. Common English words like "sunshine," "welcome," and "dragon" can be cracked in seconds.

Note that romanized words from other languages (like "sakura," "tokyo," or "bonjour") are also included in modern attack dictionaries.

Credential Stuffing

This technique automatically tries email-password combinations leaked from previous data breaches against other services. Password reuse is the primary factor that makes this attack successful.

Rather than a technical attack, this approach exploits human psychological vulnerabilities to obtain passwords. It includes phishing emails, fake login pages, and phone-based social engineering.

Entropy and Password Strength

"Entropy" is a quantitative metric for evaluating password strength. Measured in bits, a higher value means the password is harder to predict.

Calculating Entropy

Entropy is calculated using the following formula:

Entropy = log2(character set size ^ password length)
        = password length × log2(character set size)

The entropy per character for each character set is:

Character Set	Count	Entropy per Character
Digits only	10	3.32 bits
Lowercase only	26	4.70 bits
Upper + lowercase	52	5.70 bits
Upper + lower + digits	62	5.95 bits
Upper + lower + digits + symbols	94	6.55 bits

For example, a 12-character password using upper/lowercase letters and digits has an entropy of 12 × 5.95 = 71.4 bits, which is considered strong. Generally, 60 bits or more is recommended, and 80 bits or more is considered very strong.

Balancing Length and Complexity

The same entropy can be achieved either by using complex character sets in a shorter password or by using simpler character sets in a longer one.

8 chars (upper + lower + digits + symbols): 8 × 6.55 = 52.4 bits
16 chars (lowercase only):                 16 × 4.70 = 75.2 bits

This example demonstrates that a 16-character lowercase-only password has higher entropy than a complex 8-character password with symbols. A long, memorable password is actually more secure than a short, complex one.

Practical Password Strategies

Use Passphrases

A "passphrase" combining four or more random words achieves both high entropy and memorability.

Example: correct-horse-battery-staple
Length: 31 characters
Advantage: Easy to remember, resistant to brute force

However, avoid using well-known phrases, song lyrics, or proverbs directly, as they may be included in attacker phrase dictionaries.

Adopt a Password Manager

Setting unique, strong passwords for every service and remembering them all is not realistic. A password manager provides the following benefits:

Generates unique random passwords for each service
Stores them securely in an encrypted database
Auto-fill prevents accidental entry on phishing sites
You only need to remember one master password

Popular password managers include 1Password, Bitwarden, and KeePass.

Enable Two-Factor Authentication (2FA)

Rather than relying on passwords alone, combining them with two-factor authentication significantly strengthens security.

Method	Security	Convenience
SMS verification	Moderate	High
Authenticator app (TOTP)	High	Moderate
Hardware key (FIDO2)	Very high	Somewhat low
Passkey	Very high	High

SMS verification carries the risk of SIM swap attacks, so authenticator apps or hardware keys are recommended when possible.

What to Avoid

Here are practices to avoid in password management:

Reusing passwords: If one service is compromised, all other accounts using the same password are at risk
Using personal information: Birthdays, phone numbers, and pet names are easy to guess
Simple patterns: Keyboard patterns (qwerty), sequences (123456), repetitions (aaaaaa)
Leaving written notes: Writing passwords on sticky notes attached to your monitor is unacceptable
Sharing: Never share your passwords with others (separate accounts are recommended even for family members)

Is Regular Password Rotation Necessary?

The idea that passwords should be changed regularly was once mainstream, but NIST (National Institute of Standards and Technology) and many other security organizations no longer recommend routine password changes.

The reason is clear: when forced to change passwords regularly, users tend to set weaker, more memorable passwords or make trivial changes like incrementing a number at the end.

Password changes should only be necessary in cases such as:

When you receive a data breach notification from a service
When there are signs of unauthorized access
When someone may have learned your password

Conclusion

The fundamentals of secure passwords come down to three things: length, uniqueness, and management. Set random passwords of 12 or more characters for each service, manage them with a password manager, and enable two-factor authentication wherever possible. Implementing these three measures alone will significantly reduce your password-related risks.

The Current State of Password Security

Common Attack Methods

Understanding the main attack methods used to crack passwords is the first step toward effective defense.

Brute Force Attack

This method systematically tries every possible combination of characters. The shorter the password, the dramatically shorter the time needed to crack it.

Password Length	Lowercase Only	Upper + Lower + Numbers + Symbols
4 characters	Seconds	Minutes
8 characters	Hours	Years
12 characters	Thousands of years	Millions of years
16 characters	Astronomical	Virtually impossible

As this table shows, password length is the most important defensive factor.

Dictionary Attack

This method uses word lists containing common dictionary words and frequently used passwords. Common English words like "sunshine," "welcome," and "dragon" can be cracked in seconds.

Note that romanized words from other languages (like "sakura," "tokyo," or "bonjour") are also included in modern attack dictionaries.

Credential Stuffing

This technique automatically tries email-password combinations leaked from previous data breaches against other services. Password reuse is the primary factor that makes this attack successful.

Rather than a technical attack, this approach exploits human psychological vulnerabilities to obtain passwords. It includes phishing emails, fake login pages, and phone-based social engineering.

Entropy and Password Strength

"Entropy" is a quantitative metric for evaluating password strength. Measured in bits, a higher value means the password is harder to predict.

Calculating Entropy

Entropy is calculated using the following formula:

Entropy = log2(character set size ^ password length)
        = password length × log2(character set size)

The entropy per character for each character set is:

Character Set	Count	Entropy per Character
Digits only	10	3.32 bits
Lowercase only	26	4.70 bits
Upper + lowercase	52	5.70 bits
Upper + lower + digits	62	5.95 bits
Upper + lower + digits + symbols	94	6.55 bits

Balancing Length and Complexity

The same entropy can be achieved either by using complex character sets in a shorter password or by using simpler character sets in a longer one.

8 chars (upper + lower + digits + symbols): 8 × 6.55 = 52.4 bits
16 chars (lowercase only):                 16 × 4.70 = 75.2 bits

Practical Password Strategies

Use Passphrases

A "passphrase" combining four or more random words achieves both high entropy and memorability.

Example: correct-horse-battery-staple
Length: 31 characters
Advantage: Easy to remember, resistant to brute force

However, avoid using well-known phrases, song lyrics, or proverbs directly, as they may be included in attacker phrase dictionaries.

Adopt a Password Manager

Setting unique, strong passwords for every service and remembering them all is not realistic. A password manager provides the following benefits:

Generates unique random passwords for each service
Stores them securely in an encrypted database
Auto-fill prevents accidental entry on phishing sites
You only need to remember one master password

Popular password managers include 1Password, Bitwarden, and KeePass.

Enable Two-Factor Authentication (2FA)

Rather than relying on passwords alone, combining them with two-factor authentication significantly strengthens security.

Method	Security	Convenience
SMS verification	Moderate	High
Authenticator app (TOTP)	High	Moderate
Hardware key (FIDO2)	Very high	Somewhat low
Passkey	Very high	High

SMS verification carries the risk of SIM swap attacks, so authenticator apps or hardware keys are recommended when possible.

What to Avoid

Here are practices to avoid in password management:

Reusing passwords: If one service is compromised, all other accounts using the same password are at risk
Using personal information: Birthdays, phone numbers, and pet names are easy to guess
Simple patterns: Keyboard patterns (qwerty), sequences (123456), repetitions (aaaaaa)
Leaving written notes: Writing passwords on sticky notes attached to your monitor is unacceptable
Sharing: Never share your passwords with others (separate accounts are recommended even for family members)

Is Regular Password Rotation Necessary?

The reason is clear: when forced to change passwords regularly, users tend to set weaker, more memorable passwords or make trivial changes like incrementing a number at the end.

Password changes should only be necessary in cases such as:

When you receive a data breach notification from a service
When there are signs of unauthorized access
When someone may have learned your password

The Current State of Password Security

Common Attack Methods

Brute Force Attack

Dictionary Attack

Credential Stuffing

Social Engineering

Entropy and Password Strength

Calculating Entropy

Balancing Length and Complexity

Practical Password Strategies

Use Passphrases

Adopt a Password Manager

Enable Two-Factor Authentication (2FA)

What to Avoid

Is Regular Password Rotation Necessary?

Conclusion

The Current State of Password Security

Common Attack Methods

Brute Force Attack

Dictionary Attack

Credential Stuffing

Social Engineering

Entropy and Password Strength

Calculating Entropy

Balancing Length and Complexity

Practical Password Strategies

Use Passphrases

Adopt a Password Manager

Enable Two-Factor Authentication (2FA)

What to Avoid

Is Regular Password Rotation Necessary?

Conclusion