Despite years of expert advice, the most common passwords in data breaches are still "123456", "password" and "qwerty". Understanding what actually makes a password strong is the foundation of protecting your online accounts.
The Science Behind Password Strength
Password strength is measured in bits of entropy — a mathematical representation of unpredictability. A 16-character random password from a 94-character pool has about 104 bits of entropy, considered very strong by current standards.
Length Is the Single Most Important Factor
Every additional character multiplies the number of possible combinations by the character pool size. A 16-character lowercase password has 450,000 times more combinations than a 12-character one. No substitution trick comes close to this improvement.
Common Password Mistakes
Dictionary words: Cracking tools run through entire dictionaries in seconds — any real word is vulnerable.
Predictable substitutions: Replacing "a" with "@" or "e" with "3" is built into every cracking dictionary.
Keyboard patterns: Sequences like "qwerty" and "asdfgh" are among the very first guesses any tool tries.
Password reuse: When one service is breached, attackers immediately try the same credentials on hundreds of other services — called credential stuffing.
How to Generate a Truly Strong Password
The PursTech Password Generator uses your browser's crypto.getRandomValues() API — the same technology used in SSL certificates and banking systems — producing passwords that are statistically indistinguishable from true randomness.
Password Managers
The only realistic way to use strong, unique passwords for every account is a password manager. Bitwarden is free and open-source. 1Password and Dashlane are excellent paid options. All sync securely across your devices.
Two-Factor Authentication
2FA adds a layer requiring physical possession of your phone. Enable it on every account that supports it — especially email, banking and social media.