The security of a password primarily depends on its length, complexity, uniqueness, and whether it has been leaked before. A strong password generally:
- Is at least 12 characters long, with longer (e.g., 14-16+ characters) passwords being even more secure.
- Includes a mix of uppercase letters, lowercase letters, numbers, and special characters.
- Is unique for every account, never reused, and not based on easily guessable information such as birthdays or common words.
- Has not been exposed in data breaches or leaks.
Modern password security assessments calculate how long it would take a computer to crack a password by brute force, considering the combination complexity and the likelihood of it being previously leaked. Tools commonly assume millions to billions of guesses per second and recommend passwords that would take centuries to crack. Additionally, password strength checkers often operate locally in the browser to protect privacy and use methods like k-anonymity to check if a password appeared in known breaches without transmitting the full password to servers. To ensure a password is secure:
- Make it long (12 characters or more).
- Use a combination of character types.
- Make it random and unique.
- Avoid reuse across accounts.
- Check if it has been compromised through reputable breach databases.
Using a password manager can help generate, store, and manage strong and unique passwords easily. These principles and measures reflect the current best practices and research on password security from multiple cybersecurity sources and organizations such as NIST and providers like NordPass, Bitwarden, and other password checking tools.