Weak passwords are responsible for the majority of account breaches. Learn what makes a password strong, how attackers crack weak ones, and how to build a password strategy that actually protects you.
According to Verizon's annual Data Breach Investigations Report, weak, default, or stolen passwords are responsible for over 80% of hacking-related data breaches. This is a remarkable statistic when you consider the sophisticated technical tools that attackers have available — and yet they are most often defeated not by firewalls or encryption, but by a sufficiently long, random password.
Passwords are the locks on every door of your digital life. Your email, your bank account, your social media, your workplace systems — all of them are secured primarily by a string of characters you chose at some point, possibly years ago. If those strings are weak, predictable, or reused, your digital security is fundamentally compromised regardless of any other precautions you take. This guide explains exactly what makes a password strong, how attackers work, and how you can protect yourself with a practical password strategy.
Before understanding what makes a password strong, it helps to understand the specific methods attackers use to crack them. The three most common approaches are:
Attackers use software that automatically tries millions of common words, names, phrases, and their variations against an account or a stolen password hash. These "dictionaries" are not just standard words — they include common password patterns, sports teams, celebrity names, keyboard walks (qwerty, 123456), and variations like substituting letters with numbers (p@ssw0rd).
The speed at which modern computers can run through dictionary entries is staggering. Consumer-grade hardware can test hundreds of millions of password guesses per second against an offline password hash. A password like "football2024!" can be cracked in seconds despite seeming reasonably complex to a human.
Brute force attacks try every possible combination of characters systematically. While impractical for long passwords, they are highly effective against short ones. A password consisting of 6 lowercase letters has only 308 million possible combinations — which modern hardware can exhaust in under a second. Adding uppercase letters, numbers, and symbols increases this, but the critical variable is still length.
The mathematics of brute force attack resistance are compelling: each additional character multiplies the number of possible passwords by the number of characters in the character set. An 8-character password using letters and numbers has approximately 218 billion possible combinations. A 12-character password using the same character set has approximately 3.2 quadrillion — roughly 15,000 times more.
When a website is breached, the database of usernames and passwords is often sold on dark web marketplaces. Attackers then take these credentials and systematically try them against hundreds of other popular websites — banking, email, shopping, and social media. This is called credential stuffing, and it works because so many people reuse the same password across multiple sites.
If you use the same password for your email and your bank, and the email service is breached, your bank account is now compromised — even if the bank itself was never attacked. This is the single most dangerous password habit.
Contrary to common advice, the most important factors in password strength are not special characters or capitalisation — they are length and randomness.
Password length is the single most important factor in security. Each additional character exponentially increases the time required to crack it by brute force. Security experts now recommend a minimum of 12 characters for standard accounts and 16+ characters for high-value accounts like email, banking, and password managers.
The mathematics are clear: a truly random 16-character password using just lowercase letters would take longer to brute-force than the current age of the universe. Adding uppercase, numbers, and symbols makes it vastly stronger still.
A long password is only strong if it is random. "abcdefghijklmnop" is 16 characters but offers almost no security because it follows a completely predictable pattern. Patterns — keyboard walks, common phrases, sequential numbers, predictable substitutions — are all pre-loaded into attacker dictionaries.
True randomness means no pattern, no personal information, and no meaningful words in any predictable combination. This is why randomly generated passwords from a tool like the CalcNest Password Generator are so much stronger than human-chosen passwords: humans are systematically bad at generating randomness. We tend to choose things that are meaningful to us, and these meanings are exactly what attackers exploit.
Every account should have its own unique password. If even one site where you have an account is breached, credential stuffing attacks cannot compromise your other accounts if every password is different.
Truly random passwords like "8kM#xQ2@nLpRv7!" are secure but difficult to remember. An alternative for passwords you must type from memory is the passphrase — a sequence of random, unrelated words: "correct-horse-battery-staple" or "purple-lamp-ocean-nine-bread."
A 4-5 word passphrase using words chosen randomly (not a meaningful phrase) provides excellent security — often better than short complex passwords — while being far easier to remember. The key word is "random": "ilovedogs" or "thequickbrownfox" are not secure because they follow predictable patterns; "ocean-nine-lamp-purple-bread" is secure because the words have no predictable relationship.
Given that every account needs a unique, long, random password, and that most people have dozens to hundreds of accounts, the only practical solution is a password manager.
A password manager is an application (available on all platforms and as browser extensions) that:
You only need to remember one strong master password — the one that unlocks your vault. Everything else is handled for you. Reputable password managers include Bitwarden (free and open-source), 1Password, Dashlane, and KeePass. Browser-built-in password managers (Chrome, Safari, Firefox) are a good starting point but offer fewer security features than dedicated tools.
Visit haveibeenpwned.com and enter your email addresses. This free service, maintained by security researcher Troy Hunt, checks whether your email has appeared in any known data breaches. If it has, change the password for that account immediately and any other accounts where you used the same password.
If you use a password manager, it will show you which of your saved passwords are reused across multiple sites. If you do not use a password manager, try to recall which passwords you reuse across important accounts. Start by fixing the most critical accounts: email (which can reset everything else), banking, and work accounts.
Generate new strong passwords for any accounts with short, predictable, or reused passwords. Use the CalcNest Password Generator to create passwords with your desired length and character set. For accounts where you must type from memory, consider a 4-6 word passphrase instead.
Even the strongest password can be compromised through phishing. Adding a second authentication factor (a code from an authenticator app, or a hardware key) means that even if your password is stolen, an attacker still cannot access your account without the second factor. Enable 2FA on all important accounts, prioritising email, banking, and any account containing payment information.
Research has shown that mandatory frequent password changes typically make security worse, not better. When forced to change passwords regularly, people choose weaker, more predictable passwords (Password1, Password2, Password3). The NCSC and most current security guidance recommends changing passwords only when there is evidence of compromise, not on a fixed schedule.
These substitutions are so widely known that they are built into every password cracking dictionary. "P@ssw0rd!" is no more secure than "Password" against modern attacks. Only length and genuine randomness provide real protection.
Every account has value to attackers. Email accounts are used to reset other accounts and send phishing emails to your contacts. Social media accounts are used for scams and impersonation. Even game accounts can be sold. The assumption that you are not a target is one of the most dangerous in digital security.
Modern browser password managers (in Chrome, Firefox, Safari, and Edge) are actually quite secure and significantly better than having no password manager and reusing passwords. While dedicated password managers offer additional features, using your browser's built-in password manager is a meaningful security improvement for most people.
At minimum, 12 characters for standard accounts. 16-20+ characters for high-value accounts (email, banking, password manager master password). If using a passphrase, aim for 4-6 random words (roughly 20-30 characters). There is no such thing as a password that is too long.
Yes, significantly safer than not using a password manager at all and reusing passwords. The browser's password store is encrypted and protected by your device login. The main risks are shared devices and malware that can access browser storage. For very high-value accounts, a dedicated password manager with a separate master password provides additional protection.
Change your password immediately. Enable two-factor authentication if it is not already active. Check your account's recent activity log for unfamiliar access. Change your password on any other account where you used the same password. If the compromised account is your email, change passwords on all accounts linked to that email address.
No. No matter how strong a password is, using it across multiple accounts creates risk through credential stuffing. If one site is breached, that password is now exposed. Every account must have its own unique password.
Password security is the most fundamental and impactful aspect of personal digital security. The three rules are non-negotiable: every account needs a long, random, unique password. A password manager is the only practical way to maintain this standard across dozens of accounts. Use the CalcNest Password Generator to generate cryptographically random passwords of any length, then store them in a password manager — and enable two-factor authentication on your most important accounts. Together, these steps eliminate the most common methods attackers use to compromise accounts.