Let me tell you something that might ruin your day: the password you used to sign up for your email account is probably sitting in a database somewhere on the internet right now. Not encrypted. Not protected. Just... there. In plain text. Waiting.
If you've been using the internet for more than a few years, at least one of your accounts has been breached. Not because you did anything wrong — but because companies like LinkedIn, Adobe, Yahoo, and Dropbox have all been hacked, and the passwords they were storing got leaked.
The website Have I Been Pwned tracks these breaches. As of 2025, over 13 billion accounts have been exposed. That's more than the entire world's population.
So the question isn't whether your password is safe. The question is: when (not if) it gets exposed, how long will it take a hacker to crack it?
How Hackers Actually Crack Passwords
Hollywood gets this completely wrong. Hackers don't sit in dark rooms frantically typing code while a progress bar fills up. The actual process is far more methodical — and far more effective.
Method 1: Dictionary Attacks
The hacker runs your hash against a list of millions of common passwords. These lists aren't random guesses — they're real passwords leaked from previous breaches. The most common ones get tried first: "123456", "password", "qwerty", "iloveyou", and so on.
If your password is any common English word, any name, any sports team, or any simple phrase — it's in these lists. It gets cracked in less than a second. Not minutes. Not hours. Less than one second.
Method 2: Brute Force
If the dictionary attack fails, the hacker tries every possible combination. Modern GPUs can test billions of combinations per second. Here's how long it takes to brute-force different password types:
| Password Type | Example | Time to Crack |
|---|---|---|
| 6 lowercase letters | monkey | Instant |
| 8 lowercase letters | sunshine | 5 seconds |
| 8 mixed case + numbers | Sun12345 | 1 hour |
| 10 mixed + symbols | S@n!2k25x | 5 years |
| 12 mixed + symbols | M#x9k2!qP$7z | 34,000 years |
| 16 mixed + symbols | G#7k!xR2q$9Yz&4w | Billions of years |
See the pattern? Length is everything. Going from 8 to 12 characters doesn't just make it 50% harder. It makes it millions of times harder.
Method 3: Credential Stuffing
This is the simplest and most common attack. Hackers take a leaked email + password combination from one breach and try it on other services. If you used the same password for LinkedIn and your bank, and LinkedIn gets hacked — your bank account is now vulnerable. Not because your bank was hacked, but because you reused a password.
Password reuse is the single biggest security risk for normal people. It doesn't matter how strong your password is if you use it everywhere. One breach exposes every account that shares that password.
The 5 Password Mistakes Almost Everyone Makes
I'm not going to lecture you — I've made most of these myself at various points. But here they are, so we can all do better:
Mistake 1: Using Personal Information
Your dog's name, your birthday, your anniversary, your kid's name + birth year. This stuff is all over your social media. An attacker doesn't need to brute-force "raja2003" — they just need to glance at your Instagram.
Mistake 2: Making "Clever" Substitutions
Replacing 'a' with '@', 'e' with '3', 'o' with '0'. Sorry, but hackers figured this out in 1995. Their cracking tools try these substitutions automatically. "P@$$w0rd" is not meaningfully stronger than "password."
Mistake 3: Adding Numbers at the End
"michael123." "summer2025." Cracking tools know to append common numbers. It's the first thing they try after the base word.
Mistake 4: Using the Same Password Everywhere
We covered this above, but it bears repeating. If you use one password for everything, you're exactly one data breach away from losing everything.
Mistake 5: Making Passwords Too Short
Eight characters was considered acceptable in 2010. In 2025, it's a speed bump. Twelve characters is the new minimum for anything important. Sixteen is what security experts actually use.
How to Create a Genuinely Strong Password
There are two approaches, and both work well. The first is for when you just need a random, unbreakable password:
Option A: Use a Generator
The most secure password is one that has zero pattern, zero meaning, and zero connection to you as a person. Something like G#7k!xR2q$9Yz&4w. Good luck guessing that.
But there's a problem: you can't remember it. That's where a password generator comes in — it creates the password, and your password manager remembers it.
🔑 Generate a Strong Password →
Want to check how strong your current password is first? Run it through a password strength checker to see how long it would take to crack.
When using a password generator, set it to at least 16 characters with uppercase, lowercase, numbers, and symbols all enabled. This produces passwords that would take billions of years to brute-force — even with future quantum computing advances.
The Passphrase Method (For Passwords You Need to Type)
For your main accounts — like your password manager's master password — you need something strong that you can actually remember and type. That's where passphrases come in.
A passphrase is several random words strung together:
correct-horse-battery-staple
This famous example comes from the XKCD comic, and the math behind it is solid. Four random words from a dictionary of 7,776 common words gives you about 50 bits of entropy. That's roughly equivalent to a 10-character random password — and infinitely easier to remember.
But we can do better. Here's my enhanced passphrase method:
- Pick 4–5 random, unrelated words — Use a random word generator or open a book and point blindly at different pages. Words like "elephant", "Tuesday", "lamppost", "purple", "seventeen".
- Capitalize one of them — "elephant Tuesday lamppost purple seventeen"
- Add a number and symbol somewhere in the middle — "elephant-Tuesday-7-lamppost$purple-seventeen"
- Make it personal without being guessable — Pick words that mean something to you but aren't publicly associated with you. Maybe "mango" reminds you of your grandmother's garden, but nobody else would know that.
The result: a password that's 40+ characters long, contains mixed case, numbers, and symbols, is genuinely random, and you can actually remember it.
Why You Need a Password Manager
I know what you're thinking. "I can't have a unique 16-character random password for every single account. I have literally 200 accounts."
You're right. You can't remember them all. Nobody can. That's exactly why password managers exist.
A password manager is like a vault that stores all your passwords. You only need to remember one master password (use the passphrase method above). The manager handles everything else — generating, storing, and auto-filling unique passwords for every site.
Here are the options I actually recommend:
| Manager | Price | Best For |
|---|---|---|
| Bitwarden | Free | Everyone (open-source, audited) |
| 1Password | $3/month | Families and teams |
| KeePass | Free | Technical users who want offline storage |
Use one of these. Don't store passwords in a text file, don't email them to yourself, and please don't keep them on a Post-it stuck to your monitor. (Yes, people still do this. I've seen it in corporate offices.)
The Security Layer Hackers Really Hate: Two-Factor Authentication
Even the best password in the world can be compromised. Maybe the website stores it badly. Maybe someone shoulder-surfs while you type it. Maybe there's a keylogger on a hotel computer you used once.
That's where two-factor authentication (2FA) comes in. With 2FA enabled, even if someone knows your password, they still can't get in without the second factor — usually a 6-digit code from your phone.
Enable 2FA on every account that supports it. Prioritize these:
- Email (because email is used to reset all other passwords)
- Banking and financial accounts
- Social media
- Cloud storage (Google Drive, Dropbox, etc.)
- Your password manager
SMS codes are better than nothing, but authenticator apps (Google Authenticator, Authy) are significantly more secure. SMS can be intercepted through SIM-swapping attacks. Authenticator apps generate codes locally on your device, making them much harder to compromise.
Your Password Security Checklist
Let's make this actionable. Here's what to do today — in this order:
- ☐ Check if you've been breached — Visit haveibeenpwned.com and enter your email address.
- ☐ Install a password manager — Bitwarden is free and excellent. Set it up with a strong passphrase as the master password.
- ☐ Change passwords for breached accounts — Start with email, banking, and social media. Use the password manager to generate unique passwords.
- ☐ Enable 2FA — On your email first, then banking, then everything else.
- ☐ Check your existing passwords — Use a strength checker on your most important accounts. Replace anything rated as weak.
- ☐ Delete accounts you don't use — Every unused account is an attack surface. If you haven't used a service in a year, delete your account.
This whole process takes about an hour. That one hour can protect you from years of headaches.
Frequently Asked Questions
How long should a strong password be?
At minimum 12 characters for accounts that matter (email, banking, work). For important accounts, use 16+ characters. Each additional character makes the password exponentially harder to crack. The jump from 8 to 16 characters isn't twice as hard — it's about a trillion times harder.
Are passphrases better than random passwords?
For memorization, yes. A 4-word passphrase like "mango-Tuesday-lighthouse-purple" is about as strong as a 10-character random password, but far easier to remember and type. For accounts managed by a password manager (where you don't need to memorize anything), random passwords with maximum length and character variety are stronger.
How often should I change my passwords?
Current security guidance from NIST (the U.S. National Institute of Standards and Technology) actually recommends against regular password rotation. Forced changes lead people to choose weaker passwords or make predictable modifications ("Summer2024" → "Summer2025"). Change passwords only when there's a reason: a breach notification, suspicious activity, or a shared password needs to be revoked.
Is it safe to use online password generators?
If the generator runs in your browser (client-side), yes. Footprint's password generator creates passwords using JavaScript in your browser. Nothing is sent to any server. The password exists only on your screen. Avoid generators that require you to submit information to a server — there's no reason for a password generator to need internet access.
What about fingerprint or face unlock — should I use those?
Biometrics are great as a second factor or as a convenience unlock for your password manager. But they shouldn't be your only authentication method. You can change a password — you can't change your fingerprint. If a biometric gets compromised (which has happened), you can't rotate it like you can a password.