What Makes a Password Truly Secure? The Science Explained

Beyond Complexity Rules

For decades, password advice has focused on complexity rules: use at least 8 characters, include uppercase and lowercase letters, add a number, throw in a special character. These rules are well-intentioned but fundamentally misguided. They optimize for what looks complex to a human eye rather than what's actually hard for a computer to crack.

The password P@ssw0rd! satisfies every common complexity requirement. It has uppercase, lowercase, numbers, and symbols. It's also cracked in under one second by any modern cracking tool because it's a trivial variation of one of the most common passwords in every breach database.

Meanwhile, the password maple urgent throne copper galaxy violates most complexity rules — no uppercase, no numbers, no symbols — yet would take centuries to crack through brute force. The difference? It has significantly more entropy.

Understanding why requires digging into how passwords are stored, how they're attacked, and what mathematical properties actually determine their resistance to those attacks.

How Passwords Are Stored

When you create an account and set a password, the service (if it's competent) doesn't store your actual password. Instead, it stores a hash — a one-way mathematical transformation of your password. When you log in, the service hashes the password you enter and compares it to the stored hash. If they match, you're authenticated.

Key properties of hash functions:

• Deterministic. The same input always produces the same output.
• One-way. You can't reverse-engineer the password from the hash. There's no "decrypt" operation.
• Avalanche effect. A tiny change in input produces a completely different hash. "password1" and "password2" produce hashes that look nothing alike.
• Fixed output length. Regardless of whether your password is 5 characters or 500, the hash is always the same length.

Common hashing algorithms you'll encounter:

• MD5 — Fast but broken. No salt. Should never be used for passwords but still appears in legacy systems and older breaches.
• SHA-1, SHA-256 — Better than MD5 but still too fast for password storage. Designed for speed, which is the opposite of what you want.
• bcrypt — Purpose-built for passwords. Includes a configurable work factor that makes hashing intentionally slow. Widely used and well-respected.
• scrypt — Similar to bcrypt but also memory-hard, making it resistant to GPU and ASIC attacks.
• Argon2id — The current gold standard. Winner of the Password Hashing Competition (2015). Memory-hard, parallelism-resistant, and highly configurable. Recommended by OWASP and NIST.

Salting is equally important. A salt is a random string added to each password before hashing. Without salting, two users with the same password produce the same hash — making precomputed attacks (rainbow tables) possible. With salting, even identical passwords produce different hashes.

The quality of a service's hashing directly affects how long your password survives a breach. A password hashed with unsalted MD5 is vastly more vulnerable than the same password hashed with Argon2id and a unique salt.

How Password Cracking Works

When attackers obtain a database of password hashes (through a data breach), they attempt to find the original passwords through several methods:

Brute force. Try every possible combination of characters up to a certain length. This is guaranteed to eventually find any password, but is computationally expensive for long passwords. It's typically the method of last resort.

Dictionary attacks. Try words and phrases from prebuilt dictionaries — not just English dictionaries, but massive compilations of previously leaked passwords, common phrases, names, and patterns.

Rule-based attacks. Take dictionary words and apply transformations: capitalize the first letter, append numbers, substitute characters (a→@, e→3), add years, reverse the string. Tools like Hashcat ship with extensive rule sets derived from analyzing real password patterns.

Hybrid attacks. Combine dictionary words with brute-force segments. For example, try every dictionary word followed by every 4-digit number (0000–9999).

Rainbow tables. Precomputed tables that map hashes back to their plain-text passwords. Effective against unsalted hashes but neutralized by proper salting.

Combinator attacks. Combine words from multiple dictionaries. "sunshine" + "butterfly" = "sunshinebutterfly". This is specifically designed to crack passphrases made of simple word combinations.

The critical insight is that attackers don't work through passwords randomly — they work through the most likely passwords first. The order of attack follows human psychology: common words, common patterns, common substitutions, then common combinations, then increasingly obscure territory. A truly random password forces attackers into pure brute force, which is the hardest path.

The Role of Entropy

Entropy measures the unpredictability of a password in bits. It's the most scientifically rigorous way to evaluate password strength. The formula is:

Entropy = log₂(N^L) or equivalently L × log₂(N)

Where N is the number of possible characters (the character space) and L is the length.

For a random password using all 95 printable ASCII characters:

• 8 characters: 8 × log₂(95) ≈ 52.6 bits
• 12 characters: 12 × log₂(95) ≈ 78.8 bits
• 16 characters: 16 × log₂(95) ≈ 105.1 bits
• 20 characters: 20 × log₂(95) ≈ 131.4 bits

For a passphrase using random words from a 7,776-word list (EFF dice words):

• 4 words: 4 × log₂(7776) ≈ 51.7 bits
• 5 words: 5 × log₂(7776) ≈ 64.6 bits
• 6 words: 6 × log₂(7776) ≈ 77.5 bits
• 7 words: 7 × log₂(7776) ≈ 90.5 bits

But here's the crucial caveat: these calculations assume true randomness. A human-chosen 12-character password that happens to include uppercase, lowercase, digits, and symbols typically has far less than 78 bits of entropy because humans are predictable. We capitalize the first letter, put numbers at the end, use dictionary words as the base, and substitute characters in predictable ways.

This is why security researchers distinguish between theoretical entropy (the maximum for a given length and character set) and effective entropy (the actual unpredictability of a specific password, given human biases). Human-chosen passwords routinely have 50–70% less effective entropy than their theoretical maximum.

Why Dictionary Attacks Are So Effective

Dictionary attacks exploit the gap between theoretical and effective entropy. Instead of trying every possible combination, they try the combinations that humans actually choose — which is a dramatically smaller set.

Modern cracking dictionaries include:

• Previously breached passwords. The RockYou breach alone provided 32 million passwords. Combined with hundreds of other breaches, attackers have billions of real passwords to work from.
• Common word lists. English words, names, places, pop culture references, sports teams.
• Keyboard patterns. qwerty, asdfgh, zxcvbn, 1qaz2wsx.
• Date patterns. Birthdays, anniversaries, years.
• L33tspeak variants. Every word with common substitutions already generated.

When a human "invents" a password, they're almost always assembling components from these categories. The password Sunshine2026! is a dictionary word + a year + punctuation — exactly the pattern that rule-based dictionary attacks are optimized to find.

Researchers at Carnegie Mellon analyzed millions of passwords and found that when people are asked to create a password meeting typical complexity requirements, they converge on a small number of structural patterns:

• Word + Number + Symbol (e.g., Football123!)
• Capitalized word + Number (e.g., Shadow99)
• Name + Year (e.g., Jessica2026)
• Keyboard pattern + Modifications (e.g., Qwerty!23)

This convergence is exactly what makes dictionary attacks so effective. Attackers don't need to guess your specific password — they need to guess the pattern you used, then fill in the specifics.

Modern Cracking Hardware

Password cracking speed depends on two factors: the hashing algorithm and the hardware being used.

Hashing speed matters because it determines the cost of each guess. Fast algorithms (MD5, SHA-1) allow billions of guesses per second. Slow algorithms (bcrypt, Argon2id) reduce that to thousands or even hundreds per second.

Approximate cracking speeds on a single modern GPU (RTX 4090) in 2026:

• MD5: ~165 billion hashes/second
• SHA-256: ~22 billion hashes/second
• bcrypt (cost 12): ~94,000 hashes/second
• scrypt: ~2.5 million hashes/second (varies with parameters)
• Argon2id: ~150–500 hashes/second (varies with memory/iteration settings)

For large-scale operations, attackers use multi-GPU rigs or rent cloud GPU clusters. An 8× RTX 4090 setup multiplies the above numbers by roughly 8. Some operations use hundreds of GPUs.

The practical implication: an 8-character random password hashed with MD5 (52.6 bits of entropy) can be cracked by a single GPU in under a day. The same password hashed with Argon2id would take decades. But you, the user, usually don't control which algorithm a service uses — so your best defense is maximum entropy through length and randomness.

What Makes a Password Survive an Attack

Given everything above, a password that survives a real-world attack has these properties:

1. True randomness. Not "random-ish" or "random to me" — actually generated by a cryptographically secure random number generator. Human brains are terrible at randomness. Every "random" choice you make is influenced by recency, familiarity, and cognitive biases.

2. Sufficient length. For random passwords with the full ASCII character set, 16 characters provides ~105 bits of entropy — well beyond current cracking capabilities even against fast hashes. For passphrases, 6 words from a large word list provides ~77 bits.

3. No relationship to the user. No names, dates, locations, interests, or any other information discoverable through social media, public records, or social engineering.

4. No relationship to other passwords. Each password must be independently generated. Variations, patterns, and formulas are all exploitable.

5. Uniqueness. Used for exactly one account. Even a perfect password is worthless if it's reused and one of the services using it gets breached.

The uncomfortable truth is that the only passwords meeting all five criteria are passwords that humans can't remember. This is precisely why password managers exist — they offload the impossible task of generating and remembering hundreds of unique random credentials.

Practical Takeaways

Understanding the science behind password security leads to clear, actionable principles:

Use a password manager for everything. Let it generate 16–20 character random passwords for each account. You don't need to know these passwords — the manager handles them.

Choose a strong master password. This is the one password you do need to remember. Use a 5–7 word passphrase generated from an EFF dice word list. This gives you 64–90 bits of entropy in a memorizable format.

Enable two-factor authentication. Even the strongest password is vulnerable to phishing or server-side breaches. 2FA provides a second layer that a stolen password alone can't bypass.

Prefer services that use modern hashing. You can't always verify this, but services that have been recently audited, comply with OWASP guidelines, and take security seriously are more likely to use bcrypt or Argon2id. Legacy sites with archaic password rules (max 16 characters, no spaces) are red flags.

Don't trust complexity rules. A 20-character lowercase random string is stronger than an 8-character string with uppercase, lowercase, numbers, and symbols. Length and randomness beat complexity every time.

Assume breaches will happen. Design your security posture so that any single breach causes minimal damage. Unique passwords, 2FA, and breach monitoring together create a resilient system where one failure doesn't cascade into a catastrophe.

---

Password security isn't about following arbitrary rules — it's about understanding the math that attackers exploit and making their job computationally impossible. Generate, don't create. Randomize, don't personalize. And let your password manager remember what your brain can't.