GovernStack
Cybersecurity27 May 2026·5 min read

Password Security in 2025: How Strong Is Your Password Really?

What makes a password strong or weak, how hackers crack them, why length matters more than complexity, and how to calculate how long your password would survive a brute-force attack.

Most people dramatically overestimate how long it would take to crack their password. An 8-character password using a mix of letters, numbers, and symbols — the type many organisations still require — can be cracked in under an hour by a modern GPU running a brute-force attack. Understanding why, and what actually makes a password strong, is the foundation of personal and organisational cybersecurity.

What makes a password weak?

Password strength comes down to two things: length and unpredictability. Most passwords fail on both counts.

Short passwords are vulnerable because every character you add to a password multiplies the number of possible combinations an attacker must try. An 8-character password has a maximum of 6.6 trillion combinations if it uses a 95-character set (letters, numbers, symbols). A 16-character password using the same set has 44 quintillion combinations — roughly 6.7 billion times more.

Unpredictability matters because attackers rarely use pure brute-force. They use dictionary attacks — trying common words, names, and known patterns first — and credential stuffing attacks that try passwords already exposed in previous breaches. "Password1!" satisfies most complexity requirements but appears in every major leaked password list.

How entropy determines password strength

Cryptographers measure password strength using entropy, expressed in bits. Each bit doubles the number of possible combinations an attacker must try. A password with 60 bits of entropy has over a quintillion combinations — far beyond what a GPU can crack in any reasonable timeframe.

Entropy is calculated as: length × log₂(character set size). This means:

Password typeCharset sizeLengthEntropy (bits)Time to crack (GPU)
Lowercase only26837.6Minutes
Mixed case + numbers62847.6Hours
Mixed case + numbers + symbols95852.6Days
Mixed case + numbers + symbols951278.9Centuries
Mixed case + numbers + symbols9516105.2Billions of years

The practical takeaway: length matters far more than complexity. A 16-character password of lowercase letters only (52 bits) is harder to crack than an 8-character password with every character type (52.6 bits) — and far easier to remember.

How attackers actually crack passwords

Brute-force attacks

Systematically trying every possible combination. Effective against short passwords but becomes impractical for passwords above 12 characters. Modern GPUs can attempt around 100 billion MD5-hashed passwords per second — but even at that speed, a truly random 16-character password would take longer than the age of the universe.

Dictionary attacks

Using wordlists of common passwords, names, sports teams, and known patterns. "Password", "123456", "qwerty", and "iloveyou" are tried first. Most dictionary attacks also try common substitutions: "P@ssw0rd" is in every serious attacker's list.

Credential stuffing

Using username/password combinations leaked in previous breaches. There are billions of these in circulation. If you reuse passwords across accounts, a breach at one site exposes all of them. This is why unique passwords for every account matters as much as password strength.

Phishing

The most effective attack doesn't crack your password at all — it tricks you into handing it over. No password, however strong, protects against a convincing phishing page. Multi-factor authentication (MFA) is the defence against this: even with your password, an attacker cannot access your account without the second factor.

What you should actually do

  • Use a password manager — generate and store unique, 16+ character random passwords for every account. Bitwarden (open source, free), 1Password, and Dashlane are all excellent options.
  • Enable MFA everywhere — especially for email, banking, and any account that can reset other accounts. Use an authenticator app (Google Authenticator, Authy) rather than SMS where possible.
  • Check for breaches — visit haveibeenpwned.com to see if your email address has appeared in known data breaches.
  • Use passphrases for accounts you type manually — four random words ("correct horse battery staple") are both memorable and highly secure. At 44 characters, the entropy is essentially uncrackable.
Test any password's strength and estimated crack time with the GovernStack Password Strength Checker. All analysis runs locally in your browser — your password is never sent anywhere.