How long should a strong password be?

**At least 16 characters** for accounts that matter (email, banking, password manager master password). 12-character passwords can be cracked in under a day by modern hardware using common patterns. 16 random characters give roughly 95 bits of entropy — that requires ~3.9×10^28 guesses even at 10 billion guesses/second, well beyond state-level attack capacity.

Is a passphrase stronger than a random password?

A **5-word diceware passphrase** (e.g. 'lunar-goblet-frost-parish-anvil') offers ~65 bits of entropy and is significantly easier to remember than a 12-character random string. A 6-word passphrase reaches ~78 bits — equivalent to a 13-character fully random password. Both are strong; passphrases win on memorability. For everything else, let a password manager generate a 20-character random string — no memorization needed.

Does adding symbols and numbers make a password stronger?

Adding symbols **expands the character set** (from 26 to ~95 characters), which helps — but the effect is smaller than people think. Going from 'letters only' to 'letters + digits + symbols' adds about 15–20 bits of entropy for a 10-character password. **Adding 4 more characters adds the same amount**. The real leverage is length, not character variety. 'Tr0ub4dor&3' is weaker than 'correct horse battery staple' despite looking more complex.

What makes a password predictable even if it looks complex?

Attackers use **rule-based cracking**: they take a base word, then apply known transformations (capitalize first letter, append '123', substitute 'a' → '@', add '!' at the end). 'P@ssword123!' falls in seconds on modern hardware. Any password derived from a real word, name, date, or keyboard pattern ('qwerty', '123456') is vulnerable regardless of how many symbols you sprinkle on top.

How does a password manager help me create strong passwords?

A password manager has a built-in **random password generator**: click 'Generate', it creates '3tK#m9nRpQvL$8wX' for that site, stores it encrypted with AES-256 or XChaCha20, and autofills it next time. You never see or type it again. All you memorize is your master password (make it a 6-word passphrase). Bitwarden is free and open source; NordPass Premium offers polished UX at $1.49/month.

What is entropy and why does it matter for passwords?

**Entropy** (measured in bits) is the mathematical measure of how unpredictable a password is. Each bit of entropy doubles the number of guesses an attacker needs. A 10-bit password = 1,024 possibilities. A 60-bit password = 1,152,921,504,606,846,976 possibilities. The NIST SP 800-63B guideline recommends passwords with at least 8 characters (modern recommendation is 15+) and focuses on length over arbitrary complexity rules. Practical target: 60–80 bits for personal accounts, 100+ bits for master passwords.

How to Create a Strong Password: Length, Entropy and the Manager Solution

The advice you've heard a hundred times — mix capitals, numbers, symbols — is not wrong, but it's the second-order factor. After testing 8 password managers and studying breach databases, the pattern is clear: most cracked passwords were short (under 14 characters) or reused, not because they lacked an exclamation mark.

Here is what actually makes a password strong, explained without jargon.

Length beats complexity. Uniqueness beats length. A password manager handles both automatically.

01 — Why Length Is the Real Variable

Password strength is measured in bits of entropy — the number of random choices that went into creating it. Each additional bit doubles the search space an attacker has to cover.

Concrete example:

Password	Characters	Entropy	Time to crack at 10B guesses/sec
`Summer24`	8	~20 bits	Under 1 second
`S@mmer2024!`	11	~35 bits	Minutes
`correct-horse-stable`	20	~60 bits	36,000 years
Random 16-char (mixed)	16	~95 bits	Heat death of the universe

The column that matters is the last one. S@mmer2024! looks complex and has exactly the complexity rules most sites require. But it falls in minutes because cracking tools apply those same rules systematically.

The formula: every 3 extra characters of a random password add ~20 bits of entropy. Going from 12 to 16 characters is the single most impactful change you can make.

02 — Entropy Explained Simply

Think of entropy as the number of possible passwords given how yours was built:

6-character lowercase only (monkey): 26^6 = 308 million combinations. A GPU does that in seconds.
8-character mixed case + digits (MyDog7Qs): 62^8 = 218 trillion combinations. Fast hardware: a few hours.
16-character fully random (tK3#mRpQ$wLnXb8v): 95^16 = 4×10^31 combinations. Out of reach for any attacker.

Where most people go wrong: using a real word as a base. Attackers do not brute-force every character combination — they start with dictionaries of the 10 billion most common passwords, leaked credentials, names, and words, then apply mutation rules. P@ssw0rd! fails in under a second because it IS in those dictionaries.

Random = unpredictable. That is the only thing entropy actually measures.

03 — The Diceware / Passphrase Method

If you need a password you can actually type and remember (your master password for a password manager, or your laptop login), a passphrase is the best option.

Method:

Get a physical die (or use EFF's online diceware tool)
Roll 5 times to generate a number like 25341
Look up the word in the EFF Large Wordlist
Repeat for 5–6 words
Separate with hyphens or spaces

Result: something like cellar-invoke-mossy-fright-blanket-groan

5 words: ~65 bits of entropy
6 words: ~78 bits of entropy (equivalent to a 13-character fully random password)
Completely memorable
No pattern an attacker can exploit

Why it works: the words were chosen by true randomness (a physical die), not by your brain. Human choices are predictable — we pick words we know, things we like, dates that matter. A die does not.

04 — Common Mistakes That Undermine Strong Passwords

Understanding what makes a password weak is as important as knowing what makes one strong.

Predictable substitutions: p@ssword, 3mail, s3cur1ty — these character swaps have been in cracking rules for 15 years. They add almost nothing against modern tools.

Appended numbers and symbols: Password123!, Summer2024#. Cracking software appends numbers 1–9999 and all common symbols as a first pass. Takes seconds.

Personal information: birthdays, pets' names, sports teams, children's names. These are the basis for targeted attacks (spear-phishing) and are often already in data brokers' profiles.

Keyboard patterns: qwerty, 123456, asdfghjkl. Attacked first, every time.

Reuse across sites: this one is the silent killer. When any of the hundreds of sites you use gets breached (and breaches happen constantly — Have I Been Pwned lists 14 billion leaked credentials), attackers try those username/password pairs on every other major service automatically. One reused password = a single point of failure for your entire digital life.

05 — Why a Password Manager Is the Real Answer

The goal of password security is to have a unique, random, long password for every single account. That is genuinely impossible to do in your head once you have 50+ accounts.

A password manager solves this entirely:

Generator: creates a 20-character random password on demand (tK3#mRpQ$wLnXb8v) — you never see or think about it. You can also try one right now with our free password generator
Encrypted vault: stores everything behind AES-256 or XChaCha20 encryption, zero-knowledge model (the provider cannot see your passwords)
Autofill: fills the right password on the right site — also protects against phishing (if the URL doesn't match, it won't fill)
Breach alerts: monitors your emails against leaked credential databases, warns you when a site you use is compromised

You only need to memorize one password: your master password. Make it a 6-word diceware passphrase. Write it on paper and store it somewhere safe. That's it.

Try Bitwarden Free →Open source · Unlimited free plan · No device limit→

06 — Comparing the Best Options

Three managers worth considering at different price points:

Bitwarden (free or $10/year Premium)

Open source, code publicly audited by Cure53 and Insight Risk
Unlimited free plan across all devices — no asterisk
Strong choice for privacy-conscious or technical users
Self-hostable with Vaultwarden

Proton Pass (free or $1.99/month Pass Plus)

Open source clients, Swiss jurisdiction
Integrated with Proton ecosystem (Mail, VPN, Drive)
Good option if you already use Proton services

NordPass ($1.49/month on 2-year plan)

Modern polished UX with native biometrics
XChaCha20 + Argon2id encryption
Cure53 2022 + SOC 2 Type 2 audits published
Nord Security ecosystem (NordVPN, NordLocker)

All three generate strong random passwords and store them safely. The right choice depends on your existing ecosystem and how much you want to pay.

See our best password manager comparison 2026 for the full benchmark, and our detailed Bitwarden review for a deep technical look at Bitwarden's security model.

Try Proton Pass Free →Open source · Swiss jurisdiction · Proton ecosystem→

07 — Practical Action Plan

If you take nothing else from this guide:

Today: Check haveibeenpwned.com with your main email. If any breach appears, change those passwords immediately. Use our password strength checker to evaluate your current passwords before replacing them.
This week: Install Bitwarden (free). Import your saved passwords from your browser. It handles the migration automatically.
Going forward: Every time you create an account or update a password, let the manager generate it. Never type something you invented yourself.
Master password: Create a 6-word diceware passphrase. Store it on paper in a safe place. Do not store it digitally anywhere.

The password problem is a solved problem — password managers solved it. The only remaining step is to use one.

See our Proton Pass vs Bitwarden comparison if you're deciding between the two open source options.

PwdFortress may receive a commission on purchases made through links in this article. This does not affect our editorial recommendations — all managers mentioned were evaluated under the same protocol.

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Get NordPass30 jours satisfait ou remboursé · Plan gratuit disponible→