Security

How to Create Passwords That Actually Stop Hackers

By XilXil Tools Hub · June 10, 2026 · 6 min read

Most password advice is wrong. "Use a capital letter, a number, and a special character" leads to passwords like Summer2026! — easily cracked in seconds. This guide explains the actual science of password security and how to create passwords that resist modern attacks.

The Math of Password Strength

Password strength is measured in entropy — bits of randomness. The formula is simple: entropy = log2(charset_size) × length. A password using only lowercase letters has 26 characters in its set, so each character adds ~4.7 bits of entropy. A 12-character lowercase password has ~56 bits.

Add uppercase (52), numbers (62), and symbols (~95), and each character now adds ~6.5 bits. That same 12-character password with all character types has ~78 bits — over 4 million times harder to crack.

But here's the key insight: length beats complexity. A 20-character lowercase password (94 bits) is stronger than a 12-character mixed password (78 bits). This is why modern advice emphasizes length.

How Passwords Get Cracked

Attackers don't guess passwords one by one. They use these techniques:

1. Dictionary Attacks

Attackers try every word in a dictionary (and common password lists like RockYou). Password1!, letmein, qwerty123 — all cracked in milliseconds.

2. Brute Force

Try every possible combination. With modern GPUs, attackers can try 100 billion passwords per second on hashed databases. A 6-character password is cracked instantly. A 12-character random password takes centuries.

3. Credential Stuffing

Use leaked username/password pairs from data breaches to try logging into other sites. If you reuse passwords, one breach compromises all your accounts.

4. Phishing

Trick users into entering passwords on fake sites. No password strength defends against this — only 2FA helps.

The Modern Password Rules

  1. Use a password manager. Bitwarden, 1Password, KeePassXC. Generate and store unique passwords for every account.
  2. Minimum 16 characters for important accounts (email, banking, password manager master). 12+ for others.
  3. Use all character types when allowed — uppercase, lowercase, numbers, symbols.
  4. Never reuse passwords. One breach shouldn't cascade.
  5. Enable 2FA everywhere. Use an authenticator app (Authy, Aegis) or hardware key (YubiKey). Avoid SMS 2FA when possible.
  6. Use passkeys when supported — they're phishing-resistant and don't require memorization.

For Developers: Hashing Passwords

If you're storing user passwords, you must hash them with a slow, salted algorithm. Never store plaintext, never use MD5 or SHA-256 alone for passwords. Use one of:

bcrypt (most common)

// Node.js
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12); // cost factor 12
const match = await bcrypt.compare(inputPassword, hash);

Argon2id (recommended for new projects)

// Node.js
const argon2 = require('argon2');
const hash = await argon2.hash(password, {
  type: argon2.argon2id,
  memoryCost: 65536, // 64 MB
  timeCost: 3,
  parallelism: 4
});
const match = await argon2.verify(hash, inputPassword);

The "cost factor" (bcrypt) or "time/memory cost" (Argon2) controls how slow the hash is. Slower = harder to brute force, but slower login. Aim for ~250ms per hash on your server hardware.

Testing Password Strength

Use our Password Strength Checker to estimate entropy and crack time. It calculates:

Don't enter your actual passwords into online tools. Our checker runs entirely in your browser — you can verify by disconnecting from the internet. But for the truly paranoid, generate passwords with our Password Generator instead.

The Passphrase Alternative

Random passwords like K7#m$pL2!nQ9vR are strong but impossible to memorize. For passwords you must remember (like your password manager master), use a passphrase:

correct-horse-battery-staple-purple-ocean
7 words, 41 characters, ~91 bits of entropy

Use 5-7 random common words (use a diceware list or random word generator). Easy to remember, easy to type, and stronger than 12-character random passwords.

Frequently Asked Questions

How long should my password be?
For important accounts (email, banking, password manager master), use at least 16 characters. For other accounts, 12+ is acceptable when combined with 2FA. When using a password manager to generate passwords, use 20+ characters — you don't need to remember them.
Is "Password123!" secure?
No. It would be cracked in milliseconds via dictionary attack. The capital letter, number, and symbol don't help when the base word is in every password dictionary.
Should I change my passwords regularly?
NIST changed their guidance in 2017: don't force regular password changes unless there's evidence of compromise. Forced changes lead to weaker passwords (Password1 → Password2). Focus on strong, unique passwords instead.
Are password managers safe?
Yes, when used correctly. They encrypt your vault with a master password (use a passphrase!). The encrypted vault never leaves your device. Even if their server is breached, attackers can't decrypt without your master password. Use Bitwarden, 1Password, or KeePassXC.
What's better: bcrypt or Argon2?
Argon2id is recommended for new projects (it won the Password Hashing Competition in 2015). It's resistant to GPU and ASIC attacks. bcrypt is still secure and battle-tested — keep using it if you already do. Avoid MD5, SHA-1, SHA-256 (without salt+iterations) for passwords.

Secure your accounts now

Free tools to improve your password security: