How to Create Strong Passwords · What Actually Gets Cracked in 2026
Password strength is a math problem: entropy and length beat every complexity rule. How offline cracking really works, why passphrases and managers win, and what site owners should enforce per NIST.
By Daniel A · Kraftwire Software
· 7 min readKey Takeaway
Password strength is a math problem, not a creativity problem · what matters is how many guesses an attacker needs, and length beats clever substitutions every time. The practical answer for almost everyone is a password manager filled with long random strings from a password generator, guarded by one memorized passphrase and MFA. If you want to see the math on your own passwords, the password strength checker shows you where you actually stand.
Entropy Beats Complexity Rules
P@ssw0rd1! satisfies every complexity rule ever written · uppercase, lowercase, digit, symbol · and it falls in the first seconds of any real attack, because it is a dictionary word with the most predictable substitutions in existence. Complexity rules measure the wrong thing. What matters is entropy: the size of the space an attacker has to search.
Entropy is measured in bits, and every added bit doubles the work. A password drawn character by character from a truly random source gets about 4.7 bits per lowercase letter, about 6 bits per character from the full mixed set with digits, and around 6.5 bits when symbols join in. The catch is the word "random". A human-chosen password does not get those numbers, because humans pick words, names, dates, and keyboard walks · patterns an attacker searches first. Summer2026! is not eleven random characters. It is one dictionary word, one plausible year, and the single most popular final character on the internet.
How Cracking Actually Works
Almost nobody guesses passwords by typing them into your login form. Rate limits and lockouts make that slow, and defenders notice. Real cracking happens offline, and it works like this:
- A service gets breached and its database of password hashes leaks.
- Attackers load the hashes into GPU rigs that can compute billions of guesses per second against fast hashes like MD5 or SHA-1, and still huge numbers against anything not deliberately slowed down.
- The rig does not iterate blindly. It starts with lists of passwords from previous breaches, then runs dictionaries through mangling rules · capitalize the first letter, append digits, swap
a for @, add an exclamation mark at the end.
- Every password recovered gets tried against other sites, because reuse is the norm · this is credential stuffing, and it is why a breach at a forum you forgot about threatens your email.
Read step 3 again. The mangling rules are a precise catalog of how humans satisfy complexity requirements. The capital goes first, the numbers and symbol go last. Complexity rules did not make passwords stronger · they made them predictable in a new way.
Why Length Wins
The search space grows exponentially with length and only linearly with charset size. Going from 8 random characters to 16 random characters does not double the work · it squares it. That is why every serious guideline has shifted from "require symbols" to "allow and encourage length". Sixteen random lowercase letters outclass eight characters of forced complexity by a huge margin, and they are easier to type on a phone.
There is a second, quieter reason length wins: it survives the slow-hash economics. Sites that hash with bcrypt, scrypt, or Argon2 make each guess expensive. An attacker who can only try thousands of guesses per second instead of billions will still recover P@ssw0rd1!, because it sits near the front of the queue · but a long random string moves from "expensive" to "not before the heat death of the universe".
Passphrases vs Random Strings
For the handful of passwords a human must actually remember and type · your password manager's master password, your laptop login · use a passphrase: several words chosen at random from a large wordlist. The Diceware method uses a 7,776-word list, which yields about 12.9 bits per word · five words gets you roughly 64 bits, and the result is typeable and memorable in a way kV9$mQ2#xL7! never will be.
Two rules keep passphrases honest. The words must be chosen randomly · a song lyric, a quote, or a sentence you made up is a phrase attackers can search, not a random draw. And more words beat clever decoration · adding a sixth word helps more than sprinkling digits into the fourth one.
For everything else · every account that lives in a manager and gets autofilled · random strings win. You never type them, so memorability is irrelevant, and per character they carry the most entropy available. Generate them at maximum length the site accepts with the password generator and never look at them again.
The Real Answer Is a Password Manager
Every guideline above collapses into one habit: stop knowing your passwords. A manager gives you a unique random credential per site, which means a breach at one service is contained to that service. It also quietly protects you from phishing · the manager fills credentials only on the exact domain it saved them for, so a lookalike login page gets nothing while your eyes are still being fooled. The single point of failure, the master passphrase, is exactly where the five-random-words method belongs.
What Site Owners Should Enforce
If you are building the login rather than using it, current NIST guidance (SP 800-63B) is refreshingly blunt about what helps and what does not:
- Require length, not composition. A minimum of 8 characters, and accept at least 64 so passphrases fit. No "must contain a symbol" rules.
- Drop forced rotation. Scheduled expiry produces
Password1, Password2, Password3. Require a change only on evidence of compromise.
- Check new passwords against breach corpuses and common-password lists, and reject known-cracked values · this blocks the front of the attacker's queue.
- Allow paste and password managers. Blocking paste punishes exactly the users doing it right.
- Rate-limit and throttle login attempts, and hash with bcrypt, scrypt, or Argon2 · never a bare fast hash.
These items belong on the same list as your headers and access rules · the full security audit checklist covers where password policy sits among them.
MFA Is the Multiplier
Everything above assumes the password is the only lock. It should not be. With a second factor, a cracked or phished password alone stops being enough to enter. The factors are not equal, though: SMS codes are the weakest form, vulnerable to SIM swapping · authenticator apps (TOTP) are solidly better · and passkeys or hardware keys are the strongest, because they are bound to the real domain and cannot be phished by a lookalike site at all. Turn on the best factor each account offers, starting with email, since email resets everything else.
Check Where You Stand
Take one password you actually use · changed by a character or two if pasting the real one makes you nervous · and run it through the password strength checker to see how the entropy math treats it. Then let the password generator replace it with something you will never need to remember. And if you run an app with a login of your own, see the whole surface at once · run a free security scan and find the weak points before someone else does.