What Makes a Password Weak
Most people understand in the abstract that weak passwords are a security risk, but fewer understand the mechanics of how passwords are cracked. Attackers use several methods, and understanding them reveals exactly what makes a password strong or weak.
Dictionary attacks try every word in a dictionary, often combined with common substitutions (a becomes @, e becomes 3, s becomes $). The word "password" is weak. So is "p@ssw0rd". These substitutions have been in every cracking dictionary for decades.
Credential stuffing does not crack passwords at all. It takes username and password combinations leaked in previous breaches and tries them on other services. If you use the same password on multiple accounts, a breach of one compromises all of them. Length and complexity are irrelevant against credential stuffing if the password is reused.
Brute force tries every possible combination of characters. An eight-character password using only lowercase letters has about 200 billion possible combinations. Modern graphics cards can test billions of combinations per second, making eight-character passwords breakable in hours. A sixteen-character password using mixed case, digits, and symbols has over 10 sextillion possible combinations, which is not breakable in any practical timeframe with current hardware.
The Two Most Important Password Properties
Length. Length is the single most important factor in password strength against brute force. Each additional character multiplies the search space exponentially. A twelve-character password is not fifty percent stronger than an eight-character password. It is thousands of times stronger. Aim for a minimum of sixteen characters for important accounts.
Uniqueness. Every account should have a password that is used nowhere else. This is the only complete defence against credential stuffing. If one service is breached, the damage is contained to that service alone. This is the property that makes a password manager essential, because memorising a unique sixteen-character random string for every account you use is not realistic.
Password Managers: The Only Practical Solution
A password manager solves the uniqueness problem by remembering your passwords for you. You create one strong master password to unlock the manager, and the manager generates and stores unique passwords for every account. You only ever need to remember one password.
Modern password managers integrate with browsers and mobile apps to fill credentials automatically. The workflow is indistinguishable from having passwords memorised, except that every password is unique and randomly generated. Most password managers also alert you when a stored password appears in a known breach.
Bitwarden is the most recommended option for privacy-conscious users. It is open-source, has been independently audited, and has a genuinely useful free tier. 1Password is excellent for families and teams. KeePass stores your vault locally rather than in the cloud, which appeals to users who do not want to trust any third-party server with their encrypted data.
The Passphrase Alternative
If you prefer passwords you can remember, passphrases are the most effective approach. A passphrase is a sequence of four or more random words: "correct horse battery staple" (the example from the famous xkcd comic) is twenty-five characters long and contains no dictionary word that makes sense in context. Random word selection is key. Do not use a memorable phrase or sentence from a book. The randomness is what provides the security.
A four-word passphrase drawn from the EFF Large Wordlist (which contains 7,776 words) has over a trillion trillion possible combinations. It is resistant to brute force and easy to type. This approach is particularly good for the master password of your password manager, which you need to type frequently and cannot let the manager fill for you.
What to Do About Your Existing Passwords
If you are starting fresh with a password manager, the migration process feels daunting but is manageable over time. Start by importing whatever passwords your browser has saved. Then, as you log in to services over the next few weeks, update each password to a freshly generated one and save it in the manager. Prioritise important accounts first: email, banking, social media, work accounts.
Use your password manager's audit tools to identify reused passwords and change them. Bitwarden, 1Password, and most other managers have a built-in report that shows which passwords appear on multiple accounts. These are your highest-priority changes.
The Role of Disposable Email in Password Security
Strong, unique passwords protect your accounts, but your email address is often the recovery path to every account you own. Whoever controls your email address can reset the password on most other services. Protecting your email address is therefore as important as protecting the accounts themselves.
Using a temporary email address for low-value sign-ups reduces the risk that your primary email address ends up in a breach and becomes a target. Your primary email, with its strong and unique password and two-factor authentication enabled, remains protected because it is rarely given to low-trust services in the first place.
For sign-ups where you genuinely care about the account, use your real email address and a strong, unique password from your manager. For sign-ups where you just need to get past a registration gate, use a temporary address from TempMailKit and do not invest in a carefully chosen password at all.
Sources & further reading
External links are provided for verification and are not endorsements. Reviewed against these sources per our editorial policy.
Achyuth Kumar
Founder & editor, TempMailKit
Achyuth builds privacy tools and writes TempMailKit’s guides on email security, spam, and online privacy. Every article is checked against primary sources and our editorial policy before it is published. Questions or a correction? Get in touch.