A strong password is long, random, and unique. Most people know this in theory. What they lack is a clear picture of what “strong” looks like in practice — and exactly why a password that feels secure is often not.
What makes a password weak
Weak passwords share one trait: they are predictable. Attackers don’t guess randomly — they use lists of common passwords, dictionary words, and pattern-based rules that reflect how humans actually construct passwords.
These are weak for specific, diagnosable reasons:
| Password | Problem |
|---|---|
sunshine | Dictionary word, 8 characters — cracked instantly |
P@ssw0rd1 | Letter-to-symbol substitution is a known pattern — tools test these automatically |
john1985 | Personal information — first name + birth year is among the first things attackers try |
Qwerty123! | Keyboard walk + common suffix — appears in every credential stuffing list |
iloveyou2024 | Common phrase + year — trivial to crack despite length |
Summer2024! | Capitalised noun + year + symbol — a pattern, not randomness |
The last two are particularly deceptive. They feel “complex” because they’re longer or include numbers, but they follow patterns that cracking tools exploit.
What a strong password actually looks like
Strong passwords have no pattern. They are generated, not invented.
| Password | Length | Why it’s strong |
|---|---|---|
kT9#mXv2@Lq8!nRs | 16 chars | Random mix of all character types — no dictionary words, no patterns |
Xw3!pL9$vQ2@mZk8nR5# | 20 chars | High entropy, character variety, machine-generated |
velvet-spoon-comet-ridge | 24 chars | Four random unrelated words — long enough to be secure and memorable |
r7!Nq$Lm2@Kv9#Xp4&Wd | 21 chars | Maximum entropy for its length — effectively uncrackable by brute force |
The difference between weak and strong comes down to one question: could a human have chosen this? If yes, an attacker’s tool will eventually try it. If no — if it required a random generator — you’re in a much safer position.
Why “complex” isn’t enough
Complexity rules (must include a capital, a number, and a symbol) were designed to increase entropy. The problem is they push people toward predictable complexity: capitalise the first letter, add a number at the end, swap an @ for an a. These patterns are well-known to crackers.
True strength comes from randomness at sufficient length. A 20-character lowercase-only random string has more entropy than a 10-character password using every character type.
The uniqueness requirement
Even a strong password becomes a liability if it’s reused. A data breach at one site exposes that password everywhere you’ve used it — this is credential stuffing, one of the most common account takeover methods.
Every account needs its own unique password. The only practical way to do this is with a password manager, which stores and fills them for you.
Practical takeaways
- Use a generator — never invent passwords yourself
- Target 16+ characters for standard accounts, 20+ for email, banking, and password managers
- Use all character types when the site allows it — uppercase, lowercase, numbers, symbols
- Never reuse a password across sites
- Store everything in a password manager — you should never need to memorise a generated password