A few years back, a developer I know had his AWS account compromised. The attacker didn't phish him, didn't social-engineer their way in, didn't even need a zero-day. They just tried the same password he'd been using on a gaming forum since 2014 — a forum that had been breached and whose credentials were sitting in a public dump. The bill before AWS caught the anomaly: around $8,000 in EC2 instances spinning up to mine crypto.
The fix wouldn't have required any special skills. It just required a different approach to passwords. Here's what actually works.
How attackers actually get in
Before talking about defense, it helps to understand the attack. There are three main approaches, and they're not all equal.
Credential stuffing is the most common one today. Billions of username/password pairs from past breaches are freely available on hacker forums. Attackers write scripts that try these combinations automatically across hundreds of sites. If you use the same password anywhere, it's only a matter of time. This is how my acquaintance lost his AWS account — the password wasn't weak by 2014 standards, it just wasn't unique.
Dictionary attacks go beyond just trying common words. Modern dictionaries include tens of millions of entries: real words in every language, common substitutions (a → @, e → 3, o → 0), famous keyboard walks (qwerty, 123456, asdfgh), names, sports teams, years appended to common words. If your password looks like "a word with some numbers," it's probably in there.
Brute force is the raw approach — try every combination until one works. This is where length matters most. A 6-character password has about 19 billion possible combinations if you use mixed case, numbers, and symbols. Sounds like a lot until you realize a modern GPU can check billions of guesses per second against a leaked hash. Six characters falls in under a minute. Eight characters is a few hours on cheap hardware. Twelve characters with real randomness starts to actually protect you.
What makes a password strong
There are four properties, and they're not all equally important.
Length is the multiplier. Every character you add doesn't increment the search space — it multiplies it. Going from 8 to 16 characters doesn't double the difficulty for an attacker, it raises it by a factor of roughly 208 billion (assuming a 95-character set). A 16-character random password with just lowercase letters is harder to crack than an 8-character password with every possible character type. Length wins.
Randomness is what length can't do alone. aaaaaaaaaaaaaaaa is 16 characters and it's useless. True randomness means the characters have no pattern that a dictionary or rule-set can exploit. "Correct-horse-battery-staple" is famous as an example of memorable random words — it works because the words are chosen randomly, not because they form a meaningful phrase. The moment you pick words because they mean something to you, you've introduced bias an attacker can exploit.
Uniqueness per account is non-negotiable. This is the one most people skip, and it's the reason credential stuffing works so well. A single breached password shouldn't compromise your entire digital life. One account, one password. Full stop.
Character variety helps, but less than you think. Adding uppercase, numbers, and symbols to a 12-character random password improves it — going from 26-character to 95-character alphabet increases the search space by about 10x per position. But a 16-character lowercase random password is still stronger than a 10-character mixed-case password. Don't trade length for complexity.
The myths that make people less secure
"I'll just substitute letters with symbols." p@ssw0rd has been in attacker dictionaries for over a decade. So has P@$$w0rd, passw0rd, and every other variation you can think of. Substitution rules are built directly into cracking tools. If your base word is in a dictionary, the substituted version doesn't save you.
"I change my password every 90 days so it stays secure." Forced rotation is one of those security policies that sounded good in theory and turned out to be counterproductive in practice. When people are forced to change passwords regularly, they pick weak, incrementable passwords (January2026!, February2026!) or slightly modify their existing one. NIST updated its guidelines several years ago to say: don't force rotation unless there's evidence of compromise. Strong and unique beats fresh and weak.
"A complicated short password beats a simple long one." Tr0ub4dor&3 is 11 characters. correct-horse-battery-staple is 28. The long one has more entropy, is easier to remember, and is harder to crack. The "complexity" illusion costs you memorability without a meaningful security gain if the password is short.
What actually works in practice
The gap between "password security best practices" and "what people actually do" exists because the ideal behavior is genuinely hard to maintain manually. You can't memorize 150 unique 20-character random strings. No one can. The tools that bridge this gap are:
A password manager. This is the single highest-leverage change you can make. You get one strong master password to remember; the manager generates and stores unique, long, random passwords for everything else. It fills them in automatically so you don't even see most of them. Bitwarden is free, open-source, and audited. 1Password and Dashlane are good paid options. The specific tool matters less than actually using one.
TOTP-based two-factor authentication. Time-based one-time passwords (Google Authenticator, Authy, the built-in iOS/Android authenticators) add a second factor that isn't your password. Even if an attacker gets your password from a breach, they can't log in without the rotating code. Enable it everywhere it's available, especially for email, banking, and anything work-related. SMS-based 2FA is better than nothing but can be bypassed via SIM-swapping; TOTP is meaningfully more secure.
Breach monitoring. haveibeenpwned.com lets you check whether your email address has appeared in known data breaches. More usefully, you can set up alerts so you're notified when a new breach includes your address. When it happens — and it will — you change that specific password immediately instead of wondering for months whether you're exposed.
What a good password actually looks like
If you're generating manually (though honestly, use a generator), think in terms of length and randomness rather than complexity. A passphrase built from four or more random words works well because it's long and genuinely random — the key is that the words are chosen randomly, not because they tell a story or relate to your life.
For machine-generated passwords, something like xK7$mP2qR9#vLn4j is excellent — 16+ characters, random, never reused. You don't need to remember it because your password manager holds it.
The pattern to avoid is anything derivable from information about you: birthdays, pet names, the street you grew up on, your sports team. Targeted attacks against specific people often start with OSINT — open-source intelligence gathered from LinkedIn, Instagram, public records. If an attacker knows enough about you to guess, they will.
Generate a strong password right now
If you want a cryptographically random password — one that no dictionary will ever contain — the Password Generator lets you configure the exact length and character set, and generates it client-side so the password never hits a server.
Security isn't about having a perfect system. It's about removing the easy wins from attackers. Unique passwords for every account, stored in a manager, with 2FA on your most important accounts — that combination puts you well ahead of 95% of targets, which is enough to make attackers move on to someone else.