What Makes a Password Actually Strong (And Why Length Beats Complexity)

Updated on June 4, 2026

The Lie We Were All Told About Password Security

For years, IT departments, websites, and well-meaning security guides have drilled the same advice into us: use uppercase letters, lowercase letters, numbers, and at least one special character. The result? A generation of people changing password to P@ssw0rd! and feeling like they've done something meaningful.

They haven't. And the security community has quietly known this for over a decade.

The real story of what makes a password strong is simpler than the complexity theater we've been performing — and once you understand it, you'll never think about passwords the same way again.

How Attackers Actually Break Passwords

Before we can talk about what makes a password strong, we need to understand what we're defending against. Password cracking isn't someone sitting at a keyboard typing guesses. Modern attackers use GPUs that can attempt billions of guesses per second against leaked password hashes. They work from massive dictionaries, mutation rules, and pattern libraries built from analyzing hundreds of millions of real breached passwords.

Here's the uncomfortable truth those mutation rules know: if you take a common word and capitalize the first letter, add a number at the end, and swap an "a" for "@", attackers have seen that pattern so many times it's literally baked into their first-pass attack lists. P@ssw0rd! falls in seconds. Not because it lacks special characters — it has one — but because attackers guess it as readily as if you'd typed the word "password" itself.

The security theater of forced complexity rules mostly trains humans to be predictable in ways that automated tools exploit trivially.

Entropy: The Only Metric That Actually Matters

Password strength is really a question of entropy — a measure of how much uncertainty or randomness an attacker has to contend with. Entropy is usually expressed in bits. The higher the entropy, the more guesses an attacker needs, on average, to crack your password.

Here's the crucial formula: every time you double the number of possible passwords at a given length, you add one bit of entropy. And every character you add to a password multiplies the search space by the size of your character set.

Let's look at two character sets:

  • Lowercase letters only (26 characters): each added character multiplies possibilities by 26
  • Mixed case + digits + 10 special characters (72 characters): each added character multiplies possibilities by 72

Yes, using a larger character set helps — but the effect of adding one more character vastly outweighs switching character sets. A 12-character lowercase password has 2612 possible combinations — roughly 95 trillion. A 16-character lowercase password has 2616 — about 43 quadrillion. Adding four characters did more work than switching every character to a "complex" set would have.

The Crack-Time Numbers That Should Change Your Mind

Let's get concrete. Using conservative estimates for a moderately capable attacker (around 10 billion guesses per second — achievable with consumer GPU hardware):

  • "P@ssw0rd!" — 9 characters, complex-looking: cracked in under 1 second (it's a known pattern in every wordlist)
  • "kX9!mQz2" — 8 random characters, mixed complexity: cracked in roughly a few minutes to a few hours
  • "correct horse battery staple" — 28 characters, four random common words: estimated crack time hundreds of thousands of years
  • "rivercloudpillowgarden" — 22 lowercase characters, four random words joined: estimated crack time millions of years against brute force
  • "trK!9sxmLqP2" — 12 truly random characters with full complexity: estimated crack time centuries

Read that again: four random common words joined together, with no capitals, no numbers, no special characters, beats a "complex" 12-character random password by several orders of magnitude. Length wins. It wins decisively and it isn't close.

The famous xkcd comic on this topic from 2011 wasn't just funny — it was mathematically correct, and the security community has spent the years since catching up to it.

Why "Random Words" Is the Key Phrase

There's an important caveat hiding in those crack-time numbers: the words have to be genuinely random, not chosen by your predictably human brain.

If your passphrase is "ilovemydogmaxwell" or "sunnydayatthebeach," you've picked words that are semantically connected in ways attackers exploit. Dedicated passphrase attacks chain common words, common topics, and natural word associations. A truly random four-word passphrase — generated by rolling dice (diceware) or a password manager — draws from a pool of 7,776 words per slot in a standard diceware list. Four words gives you 7,7764 combinations — about 3.6 trillion possibilities — and that's before considering word order and spacing.

Use a password manager's passphrase generator, or the actual diceware method with physical dice if you're paranoid. Let the randomness come from outside your head.

What the Experts Actually Recommend Now

In 2017, NIST — the National Institute of Standards and Technology, whose guidelines form the backbone of US federal security policy — overhauled their password recommendations dramatically. The new guidance explicitly dropped mandatory complexity rules and instead emphasized:

  1. Length above all else — minimum 8 characters for regular users, but longer is strongly preferred
  2. No mandatory periodic resets unless there's evidence of compromise (forced resets just produce Password1, Password2, Password3)
  3. Checking passwords against known breach databases rather than enforcing arbitrary character rules
  4. No complexity composition rules — the evidence shows they produce predictable, weaker passwords

NIST's researchers concluded that complexity requirements "have not proven effective at making passwords more secure, but they do make passwords more difficult to remember." The trade-off was never worth it.

So Does Complexity Help At All?

This isn't a clean "complexity is useless" argument. Complexity matters in two specific contexts:

First, when you're forced into a short password. If a system caps you at 8 characters (still common, sadly), then using a full character set genuinely increases your security because you can't compensate with length. Use all the complexity you can get.

Second, when your password is otherwise guessable. A 20-character passphrase made of "onetwothreefourfi" is trash because it's a predictable pattern. Complexity would help here. But so would just... picking different words randomly.

The problem isn't complexity itself — it's treating complexity as a substitute for length, and it's mandatory complexity rules that push humans toward patterns. A long, random passphrase will almost always beat a short, complex one. A long, random passphrase with some deliberate complexity thrown in is marginally better still — but the marginal gain from complexity at that length is tiny compared to just adding two more words.

Practical Takeaways You Can Use Today

  • Use a password manager. This is non-negotiable. Once you're not memorizing passwords, you can use long, fully random strings for everything and the memorability problem disappears.
  • For passwords you must remember (your master password, device login), use a random passphrase of at least four words — five is better. Generate it with a tool, not your brain.
  • Aim for 16+ characters minimum on anything important. For passwords you're not memorizing, 20-32 random characters is standard in professional security tools.
  • Don't recycle passwords. Length helps against brute-force cracking. It does nothing if your password leaks from a breached service. Unique passwords for every account is the only answer to credential stuffing attacks.
  • Enable two-factor authentication wherever it's available. A strong password plus 2FA means an attacker needs both your credential AND physical access to your second factor — an exponentially harder problem.

The Takeaway

The "special characters everywhere" habit isn't malicious — it came from a reasonable place when password cracking was slower and the math wasn't as well understood. But we've known for years that it's security theater, and continuing to enforce it just makes life harder for users while barely inconveniencing attackers.

Length is the variable that actually moves the needle. A five-word random passphrase is not just a little stronger than a complex 8-character password — it's in a completely different security category, with crack times that scale into geological time.

The password landscape shifted. The advice should have too.