Why passwords get cracked
Most passwords are cracked in one of three ways. Dictionary attacks try every word from a wordlist — billions of entries from leaked passwords, common words, and their obvious substitutions (p@ssw0rd, P@$$w0rd). Brute force attacks try every possible combination of characters up to a certain length. And credential stuffing uses username-password pairs leaked from one service to log into others.
The critical insight: a password's strength is not about being hard for a human to guess — it is about being hard for a computer running billions of attempts per second. "Tr0ub4dor&3" feels complex to a human but is well within the reach of a modern GPU-accelerated cracker. A passphrase like "correct-horse-battery-staple" (128 bits of entropy) takes orders of magnitude longer to crack despite being more memorable.
What actually makes a password strong
Entropy is the technical measure of password strength. More entropy = more possible combinations = longer to crack. Entropy comes from two things: length and character variety.
- Length is the most important factor - Every additional character multiplies the search space. A 12-character password using lowercase only has 26^12 ≈ 95 billion combinations. A 16-character password has 26^16 ≈ 43 quadrillion. A 20-character password is practically uncrackable by brute force with current hardware.
- Character variety multiplies possibilities - Adding uppercase (a-z + A-Z = 52) more than doubles the search space per character. Adding digits (0-9, 62 total) and symbols (!@#$%^, 94 total) multiplies it further. A 12-character password using the full 94-character printable ASCII set has 94^12 ≈ 475 trillion trillion combinations.
- Unpredictability beats memorability - Human-chosen passwords are predictable because humans follow patterns: capitalising the first letter, ending with a number, using birth years, substituting vowels with symbols. Password crackers exploit these patterns. A random generator that picks characters without following human patterns produces far stronger passwords at the same length.
How to generate and use strong passwords
The practical approach: use a password manager and generate a unique random password for every account. You only need to remember one strong master password for the password manager itself.
The ToolAtom Password Generator creates random passwords at your chosen length and character set. For most accounts, a 16-character password with mixed case, digits, and symbols gives excellent protection. For high-value accounts (email, bank, password manager master password), use 20+ characters.
After generating a password, use Password Strength Checker to see the estimated entropy and crack time. A strong password should show "centuries" or longer under brute-force attack at current hardware speeds.
Password manager recommendations
A password manager stores your credentials encrypted so you only need one strong master password. Popular options include Bitwarden (open-source, free tier, cross-platform), 1Password (team features, travel mode), and KeePassXC (offline-only, no cloud sync). All three let you generate strong passwords and auto-fill them in browsers and apps.
The master password for your password manager should be your strongest, most memorable password. Use a passphrase: four or more random words separated by spaces or symbols. "purple-galaxy-staircase-77" is both random and memorable, and at 27 characters has more entropy than most randomly generated 20-character strings.
Common mistakes and how to fix them
Do not reuse passwords. When one service gets breached, all accounts sharing that password become vulnerable immediately. Password managers make this easy — you never need to reuse because the manager remembers everything.
Do not use personal information. Names of people, pets, places, birthdays, and phone numbers are the first things an attacker who knows you will try. An automated cracker enriches wordlists with data scraped from social media before running an attack.
Do not rely on complexity requirements alone. A site requiring "at least 8 characters, 1 uppercase, 1 number, 1 symbol" produces passwords like "Password1!" — technically compliant but trivially cracked. Meet the requirements and then keep going to 16+ characters.