Password Security: The Guide You'll Actually Read to the End
Why Your Password Is Probably Weak
According to NordPass 2025, the top 3 passwords in the world are "123456," "password," and "qwerty." Brute-forcing them takes less than a second. Even seemingly clever passwords like "John1985!" are easily cracked through dictionary attacks that include names, birthdays, and common letter substitutions.
What Makes a Password Truly Strong?
Length beats complexity. A 16-character random lowercase string is stronger than an 8-character "M@tr!x99." A modern GPU cracks an 8-character password in hours, while a 16-character one takes thousands of years.
Randomness, not patterns. "Passw0rd!" is a bad password despite the special character. Cracking algorithms know about o→0 and a→@ substitutions.
Uniqueness. One password for everything is a disaster. When one service is breached, attackers automatically test it against dozens of others.
The Right Approach: Passphrase Method
Pick 4–5 random words: "pine cloud dollar metro anchor". Such a phrase is:
- Long (30+ characters)
- Easy to remember
- Resistant to brute force (10³⁵ combinations)
Password Managers: Why They're Essential
Remembering 200+ unique passwords is impossible. Password managers solve this:
- Bitwarden — open source, free, cross-platform
- 1Password — great UX, for families and teams
- KeePassXC — stores the database locally, no cloud
You only need one master password — and it should be as strong as possible.
What to Do About Leaks?
- Check your addresses at haveibeenpwned.com
- Change passwords immediately when notified of a breach
- Use temporary email inboxes when registering on questionable services — your real address won't end up in brute-force databases
Summary
| Bad | Good |
|---|---|
| "Qwerty123" | Random 5-word passphrase |
| Same password everywhere | Unique per site |
| Store in notes | Password manager |
| Change once a year | Change on breach |