A practical, up-to-date guide to password security. Covers how passwords get cracked, what makes a password strong, why password managers are non-negotiable, how hashing works behind the scenes, and where authentication is headed with passkeys and FIDO2.
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
Read full article on Wikipedia · Verified March 20, 2026
A brute-force attack tries every possible combination of characters until it finds the right one. Modern GPUs can compute over 150 billion MD5 hashes per second. Against bcrypt with cost factor 12, the same GPU is limited to roughly 100 hashes per second. Hash algorithm choice matters enormously.
Dictionary attacks try common words, phrases, and known passwords from previous breaches. Attackers maintain wordlists containing millions of entries, including common substitutions like p@ssw0rd. The RockYou breach list alone contains 14 million unique passwords.
When a service gets breached, attackers try those username/password pairs on other services. Because roughly 65% of people reuse passwords across accounts, credential stuffing has a high success rate. It requires no cracking at all if the breached service stored passwords in plaintext.
Rainbow tables are precomputed lookup tables that map hash values back to original passwords. Modern password hashing algorithms (bcrypt, scrypt, Argon2) include a random salt with each hash, making rainbow tables useless because each password has a unique salt.
The most effective password attacks bypass technical defenses entirely. Phishing emails that mimic legitimate login pages, phone calls from fake support agents, and shoulder surfing all target human behavior. Two-factor authentication is the strongest defense against phishing.
Password strength comes down to entropy: the number of possible combinations an attacker must try. Entropy is measured in bits. Every additional bit doubles the search space.
| Password Type | Example | Entropy (bits) | Crack Time (MD5) | Crack Time (bcrypt-12) |
|---|---|---|---|---|
| 6 chars, lowercase | garden | 28 | Instant | ~31 days |
| 8 chars, mixed + numbers | G4rd3n!x | 52 | ~3 seconds | ~1.4 million years |
| 12 chars, mixed + symbols | G4r#en!xP2m$ | 79 | ~4,000 years | Trillions of years |
| 16 chars, mixed + symbols | kR7#mP2x!vL9nQ4$ | 105 | ~340 billion years | Longer than the universe |
| 4-word passphrase | correct horse battery staple | ~44 | ~2 hours | ~5,600 years |
| 6-word passphrase | correct horse battery staple lunar drift | ~78 | ~3,500 years | Trillions of years |
Length is more important than complexity. A 16-character lowercase password is stronger than an 8-character complex one. The hash algorithm used by the service matters as much as the password itself.
A passphrase is a sequence of random words. Passphrases are easier to memorize and can achieve high entropy through length. A 6-word Diceware passphrase has about 78 bits of entropy. Use passphrases for passwords you must remember and random strings (via a password manager) for everything else.
Open Password GeneratorThe average person has over 100 online accounts. Password managers generate, store, and auto-fill credentials. You remember one master password; the manager handles the rest.
A password manager encrypts your credential vault using your master password as the key, typically with AES-256 or XChaCha20. The key is derived using PBKDF2, Argon2, or scrypt with hundreds of thousands of iterations. Zero-knowledge architecture means the company never has access to your decrypted vault.
| Manager | Platform | Encryption | Free Tier | Open Source |
|---|---|---|---|---|
| Bitwarden | All platforms | AES-256 + Argon2 | Yes (full featured) | Yes |
| 1Password | All platforms | AES-256 + PBKDF2 | 14-day trial | No |
| KeePassXC | Desktop | AES-256 or ChaCha20 | Fully free | Yes |
| Proton Pass | All platforms | AES-256 + Argon2 | Yes (limited) | Yes |
| Dashlane | All platforms | AES-256 + Argon2 | Yes (1 device) | No |
Bitwarden is the strongest recommendation for most people: open source, independently audited, works everywhere, and has a generous free tier.
Never store passwords in a browser's built-in password manager as your only copy. Browser stores have weaker encryption and are a common target for info-stealing malware. Use a dedicated password manager.
Properly built services do not store your password. They store a hash: a fixed-length output from a one-way function that is computationally infeasible to reverse.
| Algorithm | Type | Speed | Salted | Suitable for Passwords |
|---|---|---|---|---|
| MD5 | General purpose | ~6 nanoseconds | No (manual) | No, far too fast |
| SHA-256 | General purpose | ~15 nanoseconds | No (manual) | No, far too fast |
| bcrypt | Password hashing | ~250ms (cost 12) | Yes (built-in) | Yes, industry standard |
| scrypt | Password hashing | ~100-500ms | Yes (built-in) | Yes, memory-hard |
| Argon2id | Password hashing | ~250-500ms | Yes (built-in) | Yes, current best practice |
A salt is a random string added to the password before hashing. Each user gets a unique salt. Without salts, identical passwords produce identical hashes. bcrypt, scrypt, and Argon2 include automatic salting.
Open Hash Generator Open bcrypt Generator2FA adds a second verification step after your password. It reduces account compromise risk by over 99% according to Google's internal data.
Enable 2FA on every account that supports it, starting with email, financial accounts, and cloud storage.
Passkeys use FIDO2/WebAuthn public-key cryptography. Your device generates a key pair. The private key stays on your device (protected by biometrics). The public key goes to the server. Authentication happens without your secret ever crossing the network.
Apple, Google, Microsoft, Amazon, PayPal, GitHub, and Coinbase all support passkey login as of March 2026. Adoption is accelerating, but most services still offer passkeys as an alternative to passwords.
Using personal information: Pet names, birthdays, and addresses are trivially discoverable through social media and public records. Never use personally identifiable information.
Common substitutions: "p@ssw0rd" is in every dictionary wordlist. Replacing "a" with "@" does not meaningfully increase security.
Keyboard patterns: "qwerty", "123456", and "zxcvbn" are among the first combinations tested.
Short passwords with high complexity: An 8-character complex password has about 52 bits of entropy. A 16-character lowercase-only password has about 75 bits. Length wins.
Reusing passwords: If any site gets breached, every account sharing that password is compromised. This is the single most impactful mistake.
Install Bitwarden on all devices. Create a strong master passphrase (5-6 random words). Enable 2FA on the manager account. Write down the master password and store it in a secure physical location.
Import passwords from your browser. Replace any that are shorter than 12 characters, reused, based on personal information, or found in breach databases (haveibeenpwned.com/Passwords).
Start with email, then financial accounts, then social media. Use authenticator apps as default. Upgrade to hardware keys for critical accounts. Store backup codes in your password manager.
Sign up for notifications at haveibeenpwned.com. Enable breach reports in your password manager. Change affected passwords immediately when notified.
Register passkeys as primary login for supported services. Keep passwords as backup. As support expands, your reliance on passwords will naturally decrease.
Developers regularly discuss password security implementation:
Search YouTube for "how password cracking works" or "password hashing explained" for visual demonstrations. Computerphile covers bcrypt and rainbow tables. LiveOverflow covers advanced attack techniques.
Not all "random" passwords are equally random. The quality of a generated password depends on the entropy source used to create it. Pseudorandom number generators (PRNGs) used in most programming languages are predictable given enough output samples. Cryptographically secure pseudorandom number generators (CSPRNGs) are designed to be unpredictable and are the only acceptable source for password generation.
In web browsers, the Web Crypto API provides crypto.getRandomValues(), which draws from the operating system's CSPRNG. In Node.js, the crypto.randomBytes() function serves the same purpose. In Python, the secrets module (introduced in Python 3.6) wraps the OS-level CSPRNG. Never use Math.random() (JavaScript) or random module (Python) for generating passwords; these are not cryptographically secure.
For passphrase generation, the Diceware method uses physical dice rolls to select words from a 7,776-word list. Five dice rolls select one word, and each word adds approximately 12.9 bits of entropy. A 6-word Diceware passphrase has about 77.5 bits of entropy, sufficient for a master password. The EFF publishes improved Diceware word lists that avoid obscure, offensive, or easily confused words.
When using a password generator tool (like the Zovo Password Generator), set the length to at least 16 characters. Include all character types (uppercase, lowercase, numbers, symbols) for maximum entropy per character. For passwords you will never type manually (auto-filled by a password manager), there is no reason not to use 20 or even 32 characters.
Mobile devices present unique password security challenges. On-screen keyboards make typing complex passwords tedious, and smaller screens make it harder to verify what you have typed. These friction points push users toward shorter, simpler passwords on mobile devices.
Biometric authentication (fingerprint and face recognition) addresses this friction while maintaining security. Modern mobile biometric systems store templates locally in a secure enclave (Apple's Secure Enclave, Android's Trusted Execution Environment) rather than sending biometric data to a server. The false acceptance rate for Face ID is approximately 1 in 1,000,000, and for Touch ID approximately 1 in 50,000.
However, biometrics should supplement passwords, not replace them entirely. You cannot change your fingerprint if it is compromised. Courts in some jurisdictions have ruled that police can compel biometric unlock but not password disclosure (as passwords are protected by the Fifth Amendment). For situations requiring maximum security, use a PIN or password instead of biometrics.
Mobile password manager apps auto-fill credentials in other apps and browsers, eliminating the need to type complex passwords. Both iOS and Android support system-level password manager integration. Bitwarden, 1Password, and other managers support this feature, allowing you to authenticate with biometrics and auto-fill even 32-character random passwords with a single tap.
Despite best practices, you may still find your credentials in a breach. Having a response plan reduces the damage and recovery time.
If you receive a breach notification from a service you use, immediately change your password for that service. If you used the same password anywhere else (which you should not, but many people still do), change it on every other service where it was reused. Enable 2FA on the breached account if it was not already active. Review the account for unauthorized changes (email forwarding rules, connected apps, changed recovery information).
For financial accounts, monitor your statements for unauthorized transactions. Consider placing a fraud alert or credit freeze on your credit reports (free at all three bureaus: Equifax, Experian, TransUnion). A credit freeze prevents new accounts from being opened in your name, which is the most common form of identity theft following a data breach.
For email account breaches specifically, the risk is amplified because email controls password resets for other services. Check for unauthorized forwarding rules, review sent messages for phishing sent from your account, and update the password and 2FA immediately. Notify your contacts that your email may have been compromised and to be cautious of messages that appear to come from you.
Document everything: what was breached, when you were notified, what actions you took, and when. This documentation is useful if identity theft occurs later and you need to dispute fraudulent accounts or charges.
Entropy is calculated as log2(C^L), where C is the number of possible characters and L is the password length. For a password using lowercase letters only (26 characters), each character adds log2(26) = 4.7 bits of entropy. For the full printable ASCII set (95 characters), each character adds log2(95) = 6.57 bits.
A 16-character password using the full ASCII set has 16 x 6.57 = 105 bits of entropy. At 150 billion guesses per second (a single high-end GPU against MD5), exhausting a 105-bit keyspace would take approximately 2.7 x 10^14 years. Even with a million GPUs working in parallel, this drops to 2.7 x 10^8 years (270 million years). Against bcrypt with cost 12, the same keyspace would take inconceivably longer because each guess takes 250 milliseconds instead of nanoseconds.
For passphrases, entropy depends on the dictionary size and the number of words. Using the standard Diceware list (7,776 words): 4 words = 51.7 bits, 5 words = 64.6 bits, 6 words = 77.5 bits, 7 words = 90.5 bits. The recommended minimum for a master password is 5 to 6 words.
An important caveat: entropy calculations assume the attacker knows your password generation method but not the specific output. If you generate a "random" password by smashing your keyboard, the actual entropy is lower than calculated because keyboard-mashing produces predictable patterns (adjacent keys, alternating hands). True entropy requires true randomness from a CSPRNG.
| Browser | Password Generator | Hash Generator | bcrypt Generator | Clipboard API |
|---|---|---|---|---|
| Chrome 90+ | Full support | Full support | Full support | Full support |
| Firefox 88+ | Full support | Full support | Full support | Full support |
| Safari 14+ | Full support | Full support | Full support | Full support |
| Edge 90+ | Full support | Full support | Full support | Full support |
| Mobile Chrome | Full support | Full support | Full support | Full support |
| Mobile Safari | Full support | Full support | Full support | Partial (HTTPS) |
Is it safe to use the same password for unimportant accounts? No. A compromised throwaway account can be used for social engineering or credential stuffing. Use unique passwords for everything.
How do I remember my master password? Use a 5-6 word passphrase and practice typing it daily for the first week. Store a physical backup in a safe.
Are password strength meters accurate? Most are simplistic. The zxcvbn library (by Dropbox) is more accurate because it accounts for patterns, dictionary words, and keyboard sequences.
What if I lose my 2FA device? Use backup codes stored in your password manager. For hardware keys, register two per account and keep one as backup.
Can quantum computers break passwords? Grover's algorithm halves bit strength, so a 128-bit password would have 64-bit quantum security. Practical quantum computers for this are not expected before the 2030s.
What is credential stuffing? Attackers try leaked username/password pairs on other services. The only defense is never reusing passwords. A password manager makes this practical.
Many organizations still enforce password policies that actively harm security. Understanding these mistakes helps you advocate for better practices in your workplace or push back on requirements that make users less secure.
Mandatory expiration (requiring password changes every 60 or 90 days) is the most common counterproductive policy. NIST reversed its recommendation on this practice in 2017 because research showed that forced rotation leads to predictable password patterns. Users append incrementing numbers (Summer2024, Summer2025), swap a single character, or write passwords down because they cannot remember the constant changes. The cognitive burden of frequent rotation pushes people toward weaker passwords.
Character composition rules (requiring at least one uppercase, one number, one symbol) are also problematic when combined with short minimum lengths. These rules give a false sense of security: "P@ssw0rd1" meets every complexity requirement but appears in every breach wordlist. A better policy allows any character composition but enforces a minimum length of 15 or more characters and screens passwords against known breach lists.
Account lockout after a fixed number of attempts (typically 3 to 5) was designed to prevent brute force but creates a denial-of-service vulnerability. An attacker can intentionally lock out any user's account by submitting wrong passwords. Progressive rate limiting (increasing delays between attempts) is a more effective alternative that slows attacks without blocking legitimate users.
Security questions ("What is your mother's maiden name?") are another legacy practice that weakens security. The answers are often publicly available through social media or genealogy sites, and users tend to give the same answers across multiple services. Security questions should be replaced with proper 2FA methods.
Understanding how breaches happen illustrates why individual password hygiene matters so much. A typical credential breach follows a predictable pattern.
First, an attacker gains initial access to a company's systems, often through phishing, an unpatched vulnerability, or a misconfigured cloud service. Once inside, they escalate privileges until they can access the user database. They exfiltrate the database (download it to their own systems) and begin analysis.
If passwords are stored in plaintext (which still happens, despite decades of security guidance), every credential is immediately compromised. If passwords are hashed with MD5 or SHA-256 (fast hashes without salting), most passwords can be cracked within hours using rainbow tables or GPU-accelerated brute force. If passwords are properly hashed with bcrypt, scrypt, or Argon2, only weak and common passwords will be cracked; strong, unique passwords remain safe.
The stolen credentials are then sold on dark web marketplaces, shared in hacker forums, or used directly for credential stuffing. Breach databases are aggregated: services like Have I Been Pwned have cataloged over 13 billion compromised accounts from hundreds of separate breaches. When you reuse a password, a breach at any one of those services compromises every account sharing that password.
Notable breaches that exposed password data include Yahoo (3 billion accounts, 2013), LinkedIn (164 million, 2012 with unsalted SHA-1), Adobe (153 million, 2013 with 3DES encryption rather than hashing), and the RockYou breach (32 million plaintext passwords, 2009) whose leaked list remains a staple of every password cracking toolkit.
For developers and system administrators, implementing password security correctly is a professional responsibility. Here are the current best practices for storing and handling user credentials in production systems.
Use Argon2id as the primary password hashing algorithm. Argon2 won the Password Hashing Competition in 2015 and has been extensively reviewed by the cryptographic community. Configure it with a memory cost of at least 64 MB, a time cost of at least 3 iterations, and a parallelism factor of 1. If Argon2 is unavailable in your framework, bcrypt with a cost factor of 12 or higher is an acceptable alternative.
Never implement your own password hashing. Use the password hashing functions built into your language or framework: PHP's password_hash(), Python's bcrypt or argon2-cffi libraries, Node.js bcrypt or argon2, and Java's Spring Security. These implementations handle salting, timing, and encoding correctly.
Implement a breached password check during registration and password changes. The Have I Been Pwned Passwords API allows you to check if a password has appeared in known breaches without sending the actual password to the API (it uses k-anonymity with SHA-1 hash prefixes). Reject any password found in breach databases with a clear message explaining why.
Rate-limit login attempts aggressively. After 5 failed attempts, introduce a 30-second delay. After 10, require a CAPTCHA. After 20, temporarily lock the account and notify the user via email. Log all failed attempts with source IPs for monitoring and incident response.
Support WebAuthn/FIDO2 passkeys as a login option alongside passwords. The transition from passwords to passkeys will happen gradually, and offering both methods during the transition period ensures users can adopt passkeys at their own pace without being forced before the ecosystem is ready.
Password reset mechanisms are themselves a security-critical surface. A poorly designed reset flow can bypass even the strongest password and 2FA protections.
Reset links should be single-use, time-limited (15 to 60 minutes), and contain a cryptographically random token of at least 128 bits. The token should be stored as a hash (not in plaintext) in the database, and the reset page should not reveal whether the email address exists in the system (to prevent enumeration attacks).
Account recovery, when a user loses access to both their password and 2FA device, is the hardest problem in authentication. Options include backup codes (generated during 2FA setup and stored securely by the user), recovery keys (a long random string printed and kept in physical storage), and identity verification (requiring government ID, which introduces its own privacy concerns). There is no perfect solution; every recovery mechanism represents a trade-off between security and usability.
Never use "secret questions" (mother's maiden name, first pet) for account recovery. These answers are guessable, publicly findable, and static (they never change). If your system currently uses security questions, plan a migration to backup codes or recovery keys.
Update History
March 20, 2026 - Initial publication. Covers cracking methods, entropy, password managers, hashing, 2FA, passkeys, organizational policies, breach anatomy, enterprise implementation, and account recovery.
Want a video tutorial? Search YouTube for step-by-step video guides on password security guide 2026.