Privacy glossary

Password strength


What is password strength?

Password strength is the measure of the security of a password, typically based on length, complexity, and uniqueness. The strength of a password is often described in terms of how long it would take to correctly guess (or “crack”) that password using current-day software and hardware tools.

What makes a password strong?

A strong password is one that’s difficult to guess. One attribute that can help achieve this goal is the length of the password—the more characters in the password, the more difficult it is to guess. For example, adding two more letters to an 8-letter password makes the password 650 times harder to guess. Most websites set a minimum length of 8 characters, but security experts often recommend at least a length of 14 to 16 to prevent a computer from quickly guessing it.

A second component of password strength is the variety of characters used. This is why websites often suggest—or even require—that passwords include capital letters, numbers, and special characters. The greater the variety of characters, the more possibilities a hacker has to try and the harder the password is to guess. When a password only uses lowercase letters, that means each character can be one of 26 possibilities. But when each character might also be capital letters, numbers, and special characters, the variety of possibilities for each character increases to around 70.

Using a long password that includes a variety of character types is good; being unpredictable is even better. Capitalizing the first character or ending with “!” is predictable behavior that a hacker can exploit to improve their chances of guessing a password. A more effective strategy is putting capitals, numbers, and special characters in unexpected parts of the password. For instance, changing “johnsmith” to “JohnSmith1!” does make it harder to guess, but harder still is the less predictable use of the character varieties in something like “john6?SMITH”, or even “sMITH6?john”.

How can I generate strong passwords?

The best way to remove the predictability of human behavior is to use randomly generated passwords. You can get these from online tools provided by cybersecurity organizations, or as part of a password manager. Using a password manager also has the advantage of storing the password for you. This is particularly helpful as randomly generated complex passwords are effectively impossible to memorize.

If you need a password that you can remember (such as the password to unlock your password manager), an excellent trick is to string together several unrelated words that total 18 or more letters, and then create a small story or mental image that helps you remember. For example “snowingreadpillowupstairs” is a very strong, 25 character password that can be remembered by a story like “When it’s snowing, I like to go upstairs and read in bed.” Another alternative is to mash together a short sentence. So using the previous example we could use “ILike2GoUpstairs&Read”.

If you’re creating passwords without a generator, it’s important to avoid using any personal information. Don’t use dates of birth or anniversaries, family or pet names, or current or past addresses. Some of this information is available publicly—or can become available in a data breach—making the password easy to guess.

How do hackers crack passwords?

The most popular method, called a “brute-force attack,” systematically attempts every possible character combination until it succeeds in logging in. The process may start by trying likely possibilities (e.g. “default” or “admin”), then moving to all real dictionary words and popular passwords determined from analysis of data breaches (e.g. “acbd134”, “qwerty”, or “password1”). Once these guesses are exhausted, the process will move on to working through all possible combinations of letters, numbers, and symbols.

This massive effort isn’t done by a lone person manually entering guesses on a keyboard. However, it can be accomplished by a single hacker using sophisticated software and a good quality home computer. With that setup, it’s possible to crack an 8-character password with all lowercase letters in a few seconds. An 8-character password using lowercase and uppercase letters, numbers, and special characters might take a couple hours. If the same cracking software is deployed on a high-end computer, a botnet (a web of connected and coordinated computers), or via cloud computing, the process is even faster to crack your best 8-character password. For instance, renting cloud computing for just a little while means a hacker can crack those same 8-character passwords instantly (if all lowercase) or in about 15 minutes (if the password uses a variety of characters). By contrast, the password “sMITH6?john” would take more than 10 years to crack, and “ILike2GoUpstairs&Read” would take trillions of years.

Hashed passwords (where the password itself is used to create its own unique code) that have been divulged in a data breach are treated to a similar brute-force attack. If the hacker knows the hash scheme used, they can run all possible passwords through the same password validation process locally (i.e. on their computer) and match guesses against the actual stored hashes online. If best practices aren’t used by websites storing your passwords, this procedure can crack multiple passwords on breached data in a single run through the cracking process.

Why should I make a different password for every login?

If a hacker cracks your password for one account, they’ll try that same password on other accounts, hoping you’ve used it elsewhere—a common practice called “credential recycling.” If your password is the same across websites, it means the hacker has instant access to multiple accounts by simply cracking one password. Hackers will leverage this known habit by targeting databases they believe are less secure, like a forum for a local club. If they’re able to break into an account on a site that has less security, they’ll end up with a password they can then try on higher value targets like bank websites.

Even if nothing happens in your accounts, if you learn that a repeated password is part of a data breach, you would then have to change that password everywhere else it’s used—the cleanup effort is bigger, more worrisome, and must be completed with time pressures. It’s less stressful to proactively change any reused passwords before a breach ever happens.

It’s particularly important to make your email password strong and unique. If a hacker is able to crack your email password, they’re able to change any other password that can be reset by clicking “forgot my password” and following reset procedures sent to your email inbox.

Keeping track of all your passwords

Keeping track of dozens of unique, complex passwords is a daunting task. A password manager is a useful tool to help with this. A good password manager can store all login IDs and passwords, and sync this information across devices such as your laptop and your phone. A password manager also adds extra protection because it allows you to log in without actually typing the information, keeping the information out of the path of any keyloggers. Password managers can be standalone programs, browser extensions, or a feature built into your browser, such as in the Brave browser.

While a password manager helps you keep track of passwords that aren’t memorizable, it’s important to pick a strong password that you can remember to secure the password manager. This is an excellent situation for using a password made up of several words strung together.

If you’re using strong passwords, they don’t need to be changed unless you think they’ve been compromised. Frequent changing can lead to frustration and errors without increasing security.

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.