Skip to main content
K
KnowKit
← Back to Learning Center
Privacy & Security

Password Security Guide: Building and Managing Strong Passwords

Learn what makes a password strong, understand entropy, common attack methods, and why NIST updated its guidelines to favor length over complexity.

What Makes a Password Strong?

Password strength comes primarily from length, not complexity. A 20-character passphrase like correct-horse-battery-staple is far stronger than an 8-character password like X7$kQ2!z despite being easier to remember. The reason is entropy: each additional character exponentially increases the number of possible combinations an attacker must try.

NIST Special Publication 800-63B (updated 2017) explicitly recommends prioritizing password length over forced complexity rules. The guidelines suggest a minimum of 8 characters (preferably 15+), allowing all printable characters, and not requiring specific character types.

Understanding Password Entropy

Entropy measures the unpredictability of a password, expressed in bits. Higher entropy means more guesses are needed to crack the password.

  • Lowercase letters only (26 characters): ~4.7 bits per character
  • Mixed case + digits (62 characters): ~5.95 bits per character
  • Full printable ASCII (95 characters): ~6.57 bits per character
  • Random words from a 7,776-word dictionary: ~13 bits per word

A 4-word Diceware passphrase (52 bits) is equivalent to a 9-character fully random password. The passphrase is easier to type and remember.

Common Attack Methods

Brute Force

Every possible combination is tried sequentially. Modern GPUs can test billions of passwords per second against offline hashes. A 6-character password using all 95 printable characters (about 39 bits of entropy) can be cracked in under a day. A 12-character password (79 bits) would take thousands of years.

Dictionary Attacks

Attackers try words from dictionaries, common password lists, and leaked databases. Passwords like password123 or qwerty are cracked in milliseconds. Substituting letters with numbers (p@ssw0rd) provides almost no additional security because attackers include these patterns in their dictionaries.

Credential Stuffing

When one service suffers a data breach, attackers test those username-password pairs on other services. If you reuse passwords across sites, one breach compromises all of them. This is the single most common way accounts are compromised.

Phishing

No matter how strong a password is, entering it on a fake login page gives it directly to the attacker. Two-factor authentication (2FA) mitigates this by requiring a second verification step.

Why Password Managers Matter

A password manager generates and stores unique, random passwords for every account. You only need to remember one strong master password. This eliminates password reuse (the biggest risk) and ensures every account has a high-entropy password. Most managers also autofill credentials, which helps avoid phishing by only filling on legitimate domains.

Popular password managers include Bitwarden (open-source), 1Password, and KeePassXC (offline). Choose one that syncs across your devices and supports browser integration for autofill. The cost of a password manager, even a paid one, is negligible compared to the cost of recovering a compromised account.

The Problem with Forced Complexity Rules

For years, websites required users to include uppercase letters, numbers, and special characters. Research has shown these rules encourage predictable patterns: capitalizing the first letter, adding "1" or "!" at the end, or replacing "a" with "@". Attackers know these patterns and optimize their cracking tools accordingly. NIST now recommends against mandatory complexity rules and instead encourages longer passphrases that users can actually remember. A memorable 16-character passphrase is far more secure than a forgettable 8-character password with forced special characters.

Practical Recommendations

  • Use a password manager to generate unique 16+ character passwords for every account.
  • Enable two-factor authentication wherever possible, preferably with an authenticator app over SMS.
  • Check haveibeenpwned.com periodically to see if your credentials have been exposed.
  • Never reuse passwords across different services.
  • Consider passkeys (FIDO2/WebAuthn) as a passwordless alternative for supported services.
  • Avoid using personal information (birthdays, pet names, addresses) in passwords.
  • Change passwords immediately after a data breach notification, but avoid forced periodic changes which lead to weaker passwords.

Related Tools

Password Generator

Generate cryptographically random passwords with custom rules.

Hash Generator

Generate SHA-256, SHA-512, and other hashes for verification.

UUID Generator

Generate unique identifiers for any purpose.