Think of your most-used password. Got it? Now here's an uncomfortable question: if it leaked tomorrow, how long would it take a computer to guess it?
For a lot of people, the honest answer is seconds. And the gap between a password that falls in seconds and one that would outlast the sun comes down to a couple of things most of us were never taught properly.
Strength isn't complexity — it's entropy
We've all been drilled on the "add a capital letter, a number, and a symbol" rules. They're not wrong exactly, but they measure the wrong thing. What actually makes a password hard to crack is entropy — a measure, in bits, of how many possibilities an attacker would have to try before landing on yours.
Each bit of entropy doubles the number of guesses required. A password drawn from the full set of printable characters earns roughly 6.5 bits per character. So the single biggest lever you have isn't sprinkling in symbols — it's length. A 16-character password can cross 100 bits of entropy, which is so far beyond brute-force range that crack time stops being measured in years and starts being measured in eons.
Why length beats complexity
Add one more character and you multiply the number of possible passwords by the size of the character set — an enormous jump. Swap a letter for a symbol and you've barely nudged it. That's the whole reason a long, plain passphrase like correct-horse-battery-staple is dramatically stronger than a short, cryptic P@ssw0rd! that merely looks secure.
There's a second reason complexity rules backfire: attackers know every trick. Capitalizing the first letter, ending with a 1 or !, swapping a for @ — cracking software tries those patterns first. So the "complexity" you carefully added is exactly the complexity an attacker expects. This is why modern guidance from bodies like NIST has shifted toward long passphrases and away from forced complexity rules that just push people toward predictable passwords they can't remember.
The crack-time reality, made concrete
Here's the part that tends to change behavior. Assume a determined attacker running an offline attack at around 10 billion guesses per second — a realistic rate with good hardware:
- A short, lowercase-only password: gone almost instantly.
- An 8-character mixed password: minutes to hours.
- A 16-character password, or a passphrase of four random words: centuries, often far longer.
The jump between those isn't linear, it's exponential. Which is why "just add two more characters" is, unglamorously, some of the best security advice there is.
How to check yours — without handing it over
You can see all of this for your own passwords with a strength checker: it estimates the entropy and the crack time and shows you which factors are dragging the score down.
One important caveat, though — be careful where you check. Plenty of "how secure is my password" tools quietly send what you type to a server, sometimes to compare it against breach databases, which is a strange thing to do with a live password you actually use. I use ToopTools' Password Strength Checker because it runs entirely in your browser: it shows the entropy in bits and the estimated crack time, and your password never leaves your device. Close the tab and it's gone.
The short version
- Length matters far more than complexity — aim for 16+ characters.
- A passphrase of four or more random words is both stronger and easier to remember than a cryptic string.
- Never reuse a password; one breach shouldn't unlock everything you own.
- And if you test a password's strength online, use a tool that does it in your browser, not one that sends it away.
Your password doesn't have to be unguessable forever. It just has to outlast the patience and the hardware of whoever's trying — and length, far more than symbols, is what buys you that time.
