What Makes a Password Secure?
Password security comes from two things: length and randomness. Each extra character multiplies possible combinations — a 12-character random password has roughly 10^20 combinations, a 16-character one has 10^27. Randomness matters because dictionary attacks and pattern-based tools can crack predictable passwords regardless of length.
Password Entropy
Entropy measures password strength in bits. Each bit doubles the difficulty for an attacker. 60+ bits = strong; 80+ bits = very strong. Every character type you add increases entropy: lowercase only = 4.7 bits/char; add uppercase = 5.7; add numbers = 5.95; add symbols = 6.5+.
Why Unique Passwords Matter
Data breaches expose billions of passwords every year. If you reuse a password and it appears in one breach, attackers try it on all your other accounts (credential stuffing). A unique password on every site means one breach never compromises others. A password manager makes this practical.
Frequently Asked Questions
How long should a password be?
At least 12 characters for basic accounts; 16+ for financial and email accounts. A 16-character random password has ~10^28 combinations — billions of years to crack with current hardware.
What makes a password strong?
Length, randomness and uniqueness. Use 16+ characters mixing uppercase, lowercase, numbers and symbols. Never use dictionary words or personal info. Never reuse passwords across sites.
Should I use a password manager?
Yes — recommended by all security professionals. Password managers generate and store unique strong passwords for every site. Reputable options: Bitwarden (free, open source), 1Password, and built-in browser/OS managers.
What is two-factor authentication?
A second verification step beyond your password — usually a code from an authenticator app or SMS. Even if your password is stolen, attackers can't log in without the second factor. Enable on all important accounts, especially email and banking.
How often should I change my password?
NIST now recommends changing passwords only when compromised — not on a fixed schedule. Frequent forced changes lead to weaker passwords. Use HaveIBeenPwned.com to check if your email appears in data breaches.