What Makes a Good Password?

Not all passwords are created equal. Learn the science behind password strength — what actually matters, what doesn't, and how to build passwords that can withstand modern attacks.

The Three Pillars of Password Strength

A good password comes down to three things: length, character diversity, and randomness. Get all three right and your password becomes virtually uncrackable. Miss even one and you could be vulnerable.

1. Length — The Most Important Factor

Every character you add to a password multiplies the total number of possible combinations. This relationship is exponential, not linear. Here's what that means in practice:

Length	Combinations (all types)	Crack Time @ 10B/sec
6	7.4 x 10^11	~1 minute
8	6.6 x 10^15	~6.5 hours
10	5.9 x 10^19	~190 years
12	5.4 x 10^23	~1.7 million years
14	4.9 x 10^27	~15 billion years
16	4.4 x 10^31	~140 trillion years

Going from 8 characters to 12 characters increases the crack time from hours to millions of years. That's why every security expert says: length is king.

2. Character Diversity — Expanding the Pool

The "character pool" is the total number of possible characters each position in your password could be. The larger the pool, the more combinations exist:

Lowercase only — 26 characters
+ Uppercase — 52 characters
+ Digits — 62 characters
+ Symbols — 95 characters

Using all four character types nearly quadruples the pool compared to lowercase only. But notice: going from 26 to 95 is a ~3.6x increase, while adding just 2 more characters to a password increases combinations by ~9,000x (at pool size 95). That's why length always trumps complexity.

3. Randomness — The Hardest Part

Humans are terrible at being random. We gravitate toward patterns, dictionary words, dates, and predictable substitutions. Attackers know this and exploit it with sophisticated wordlists and rule-based attacks.

What is password entropy?

Entropy measures the randomness of a password in bits. It's calculated as: length x log2(pool size). Higher entropy = stronger password. A password with 80+ bits of entropy is considered very strong. Our password checker calculates this for you instantly.

Good vs. Bad Passwords — Real Examples

Weak — Cracked Instantly

password123

Dictionary word + simple number pattern. Appears in every cracking wordlist. This is one of the top 10 most common passwords globally.

Weak — False Sense of Security

P@ssw0rd!2024

Looks complex, but it's just "Password2024" with common substitutions. Attackers have rules for these exact patterns — this would fall to a dictionary attack in seconds.

Moderate — But Still Risky

MyDogSpot2019

Uses personal information (pet name + year). An attacker who researches you on social media could build a targeted wordlist that cracks this quickly.

Strong — Random Passphrase

maple-volcano-ticket-frozen-89

Four random words + a number, separated by hyphens. Long (31 characters), no personal info, easy to remember. Would take millions of years to brute-force.

Very Strong — Generated Password

k9$Tm!xQ2p&Lw7@nR

17 random characters using all character types. 128+ bits of entropy. Practically impossible to crack. Best stored in a password manager.

Common Password Mistakes

These patterns feel secure but are well-known to attackers:

Capitalising the first letter — Password instead of password adds virtually no security
Adding a number at the end — monkey1, dragon99 — attackers test these first
Common substitutions — @ for a, 3 for e, 0 for o — these are built into every cracking tool
Keyboard patterns — qwerty, asdfgh, zxcvbn — all in standard wordlists
Appending the current year — Summer2026! — massively common, easily guessed
Using your username or email — attackers always try these first

The Modern Approach: Password Managers

The best way to have good passwords is to not create them yourself. Password managers generate truly random strings and store them securely. You only need to remember one strong master password (a random passphrase works well for this).

Recommended password managers:

Bitwarden — free, open source, cross-platform
1Password — polished UX, great for families and teams
KeePass — free, offline, fully local storage

All three generate random passwords that score "Very Strong" on our password strength checker.

Quick Checklist: Is Your Password Good?

Is it at least 14 characters long?
Does it use uppercase, lowercase, digits, and symbols?
Is it NOT a word, phrase, or name (even with substitutions)?
Is it unique to this one account?
Does it contain no personal information?
Was it randomly generated (or is it a random passphrase)?

If you answered "yes" to all six, you have a strong password. If not, read our password strength tips for practical steps to improve your security.

Check Your Password Now

Find out exactly how strong your password is with our free, private password strength tester.

Test Password Strength