For years we were all trained to build passwords like "P@ssw0rd!" — a capital letter, a number, a symbol, exactly eight characters. It turns out that advice was mostly counterproductive. It produced passwords that are hard for humans to remember and easy for computers to guess. Understanding why reveals what actually makes a password strong.
How passwords actually get cracked
Attackers rarely sit there typing guesses into a login form. When a service is breached, attackers get a database of hashed passwords and crack them offline at enormous speed — billions of guesses per second on cheap hardware. They do not start with random strings; they start with dictionaries of real passwords from past breaches, common words, and predictable patterns. The classic "substitute a 3 for an e and add a ! at the end" trick is built into every cracking tool, because everybody does it. Complexity rules made passwords look strong to a human while doing little against a machine.
Why length is what matters
Each additional character multiplies the number of possible combinations an attacker must try. Length adds this resistance exponentially, and it does so far more effectively than swapping a letter for a symbol. A long passphrase made of several random words is both easier to remember and vastly harder to crack than a short, gnarly string of symbols. The math is lopsided: a truly random 16-character password is astronomically stronger than a random 8-character one, regardless of how many symbols the short one contains.









