The Good Enough Secret
An honest guide to password security, without the fear-mongering.
The Hard Truth
Given enough time and computing power, any password can eventually be cracked. The lock on your front door can be picked too, but that doesn't mean locks are useless.
The real goal? Be too expensive to bother with.
Attackers don't target individuals by hand. They run automated tools against millions of accounts simultaneously. If cracking your password would take centuries on modern hardware, you're safe in practice.
The Formula
Password strength boils down to one equation:
combinations = character_set_size ^ password_length
Every extra character multiplies the total combinations. Going from 8 to 12 characters doesn't add 4 more guesses. It multiplies the guess count by the pool size, four times over.
Two Recipes That Work
- Mixed case letters
- Leading symbol
- Trailing numbers
- 15 characters total
- Great for daily use
- 4 random words
- Hyphen separated
- 280+ trillion combos
- Easy to type
- Best for memory vaults
Three Golden Rules
Length matters more than complexity. A 20-character all-lowercase passphrase has more entropy than an 8-character "complex" password with symbols. Aim for at least 12 characters for standard accounts, 20+ for sensitive ones.
Humans are terrible at random. We gravitate toward patterns, dates, and words we like. Use a tool like TofuPass to generate truly random passwords. The word lists are curated to avoid predictable patterns.
Even a strong password is worthless if it appeared in a data breach. Use our Stress Tester to check if your password shows up in HaveIBeenPwned's database of billions of compromised credentials, privately using k-Anonymity.
