Building Passwords That Actually Hold Up

Most password advice focuses on complexity — uppercase, lowercase, numbers, symbols. The thinking is that a password like P@ssw0rd! is hard to guess because it uses four character types. In practice, it gets cracked almost immediately. Password crackers know every common substitution pattern, and they test them all.

The thing that actually makes a password resistant to cracking is entropy — the amount of unpredictability in the password. Length contributes more entropy than character variety, especially when the length comes from genuinely random choices rather than patterns.

How password cracking actually works

When an attacker gets hold of a credential database (which happens more often than anyone would like), the passwords are typically stored as hashes rather than plaintext. The attacker runs a hash function against candidate passwords and compares the output to the stored hashes. Any match reveals the original password.

Modern GPU-based cracking rigs can test billions of candidate passwords per second against fast hash functions like MD5. Against weak password schemes — dictionary words, common substitutions, patterns like word+year+symbol — this is very fast. The attacker isn't guessing one character at a time; they're testing millions of known patterns simultaneously.

What slows this down is genuine randomness. A password drawn from a large space (all printable ASCII characters, random selection) with sufficient length is simply impractical to brute force, regardless of which specific characters appear in it.

Entropy: the number that actually matters

Password entropy is measured in bits. A password with N bits of entropy means an attacker would need to make 2^N guesses on average to find it by brute force.

For a random password using a character set of size C and length L, the entropy is:

entropy = L × log2(C)

A few examples:

• 8-character lowercase only (26 chars): 8 × 4.7 = ~38 bits. Crackable in hours with modern hardware.
• 12-character lowercase + digits (36 chars): 12 × 5.2 = ~62 bits. Takes days to weeks, depending on hardware.
• 16-character full ASCII printable (95 chars): 16 × 6.57 = ~105 bits. Practically impossible to brute force.
• 20-character full ASCII: 20 × 6.57 = ~131 bits. Not happening in any reasonable attacker's lifetime.

The jump from 16 to 20 characters adds more security than switching from lowercase-only to full ASCII at 8 characters.

What actually makes passwords weak

Dictionary words and names. Any word that appears in a dictionary, or any proper name, will be tested first. This includes foreign language words, technical terms, and pop culture references. Crackers use multi-language wordlists with millions of entries.

Common substitutions. @ for a, 3 for e, 0 for o, ! appended at the end. Every pattern you've ever been told makes passwords "stronger" is already in cracker rulebooks. The password P@ssw0rd has been a cracking wordlist entry for over a decade.

Short length. An 8-character password, regardless of character variety, has a limited upper bound on entropy. Modern cracking hardware makes short passwords vulnerable regardless of how complex they look.

Predictable structure. Word+Number+Symbol patterns, keyboard walks (qwerty, 1q2w3e4r), date-based components (Summer2023!), and personal information (pet names, birthdays, kids' names) are all common patterns crackers test.

What actually makes passwords strong

Genuine randomness. Not pseudorandom patterns that feel random but follow rules, but actual random selection from a character set using a cryptographically secure random number generator.

Length. Each additional character multiplies the search space. Going from 12 to 16 characters at full ASCII roughly multiplies the search space by 95^4 — about 81 million times harder.

Using the full character space when the system allows it. A 16-character password that uses only lowercase letters has about 75 bits of entropy. The same 16-character password using lowercase + uppercase + digits + symbols has about 105 bits. Both are usable — but the latter is substantially stronger.

Practical password strategy

For anything you log into regularly: Use a password manager. Generate a unique 20+ character random password for every account. You don't need to remember any of them except your master password (which should be a strong passphrase).

For service accounts, API keys, and system credentials: Use a random generator with the full character set, 24+ characters. These are never typed by hand and should be stored in a secrets manager or vault, not in a text file or Slack message.

For passwords you must memorize: A passphrase — several random unrelated words — is easier to remember than a random string and provides reasonable entropy. correct-horse-battery-staple (from the xkcd comic) has about 44 bits of entropy from four random common words. Add more words for higher security.

Using the ToolsKit password generator

The Password Generator uses the browser's built-in crypto.getRandomValues() API, which provides cryptographically secure randomness — the same source used in TLS key generation. Passwords are generated locally and never transmitted.

For service accounts and API credentials: generate at 24+ characters with all character sets enabled. For passwords you'll type occasionally: 16–20 characters is a practical balance. For temporary passwords to hand to users: 12–16 characters is fine since they should change it immediately.