Quick Answer: A secure password must be long (16+ characters), use a large character set (letters, numbers, symbols), and be generated with true randomness. A random 16-character password from 94-character set has ~105 bits of entropy — it would take longer than the age of the universe to brute-force at any computers' current speeds.
Why Randomness Is Critical for Passwords
Humans are terrible at generating random passwords. We unconsciously favor patterns, words, and sequential numbers. "Random" passwords chosen by humans are far more predictable than they appear — attackers use dictionaries, pattern lists, and social engineering data to crack human-chosen passwords. True cryptographic randomness — from CSPRNG — produces passwords with no exploitable patterns.
Password Entropy: Measuring Strength
Password entropy is measured in bits where higher = stronger. Formula: H = log₂(C^L) where C is character set size and L is length.
| Character Set | Size (C) | 12 chars entropy | 16 chars entropy |
|---|---|---|---|
| Lowercase only | 26 | 56 bits | 75 bits |
| Lower + Upper | 52 | 62 bits | 84 bits |
| Lower + Upper + Numbers | 62 | 71 bits | 95 bits |
| All printable ASCII | 94 | 79 bits | 105 bits |
Modern Cracking Speeds Context
Modern GPU-accelerated password crackers can test billions of hash combinations per second for fast hashes. An 8-character all-charset password (52 bits) can be brute-forced in days. A 16-character all-charset password (105 bits) would take vastly longer than the age of the universe. Length and randomness together provide exponential security.
Best Practices: Use a Password Manager
Password managers generate long, random, unique passwords for every site and store them securely. You only need to remember one strong master password. Modern password managers use CSPRNG for generation and authenticated encryption for storage.