How secure is my password, really?

Passwords are like shoes: at some point you have too many, they often pinch, and once in a while you lose one. But unlike shoes, passwords protect access to our digital existence — email, banking, taxes, photos. How secure a password actually is depends on surprisingly few factors. Read this article, be 10 minutes wiser.

Entropy: the math behind "secure"

Password strength is measured in bits of entropy. Simplified: log₂(N^L), where N is the size of the alphabet and L the length. An 8-character password using lowercase letters (N = 26) has about 38 bits of entropy — crackable in seconds to minutes today. A 16-character password from the same alphabet reaches 75 bits, pushing brute force into the range of years to decades.

Important: this math only applies to genuinely random passwords. A word like "Summer2024!" looks complex to a human but has little entropy, because attackers use wordlists and simple rule sets. Tools that only check length or character set dramatically overestimate the strength of such passwords.

Who attacks how?

Brute force

In a brute-force attack, the attacker tries all possible character combinations until one fits. Modern GPUs can run billions of MD5 hashes per second — weakly hashed passwords are lost. But against a well-hashed password (bcrypt, scrypt, Argon2), the attacker is slowed by orders of magnitude. Brute force becomes a patience game where password length pays off.

Dictionary and hybrid attacks

Instead of blindly trying all combinations, attackers use wordlists: lists of common passwords, leaked collections from earlier breaches, terms in national languages, names, birthdays. Hybrid attacks combine this with rules like "capitalize the first letter," "replace l with 1," "append a year." Most "creative" human passwords fall within hours.

Credential stuffing

Here the attacker doesn't need to crack your password — they already know it. Data breaches from other services provide millions of email/password pairs. Anyone reusing passwords across sites is immediately exposed. So: a separate, unique password for every important site.

Strategies for good passwords

What makes a password secure in practice?

  • Length beats complexity: a 20-character lowercase password is more secure than an 8-character word construct with special chars. Current NIST guidance dropped complexity requirements and favors a minimum of 12–15 characters.
  • Diceware passphrases: five to seven words randomly chosen from a standard wordlist (e.g. "correct horse battery staple trombone snake") easily reach 60–90 bits of entropy and are surprisingly easy to remember.
  • Randomly generated strings: for passwords you don't type but paste from a password manager, a 20+ character random string is optimal. It maximizes entropy per character and has no dictionary weakness.
  • Password managers: KeePass(XC), 1Password, Bitwarden, etc. generate and store unique passwords per site. The master passphrase is the only one you still memorize — and it should be really good.
  • Never reuse: for email, banking, primary cloud storage, and identity providers (Google, Apple), use a unique password plus its own 2FA. Reusing here invites a domino takeover.

Two-factor authentication

Even an 80-bit password doesn't help much if it leaks through phishing. That's where 2FA comes in: in addition to the password, the attacker needs a second factor — typically a short-lived code from an authenticator app (TOTP) or a hardware token (FIDO2/WebAuthn). Even if the password is leaked, the account stays locked without the second factor.

SMS-based 2FA is better than nothing, but vulnerable to SIM-swap attacks and should be avoided for valuable accounts. Authenticator apps like Aegis, 2FAS, or Authy are better; FIDO2 security keys (YubiKey, NitroKey) are the gold standard and reliably defeat even phishing.

Have I Been Pwned & co.

The "Have I Been Pwned" service collects publicly known data breaches and lets you check whether your email appears in any leak. The associated Pwned Passwords dataset contains over a billion leaked password hashes — before settling on a password, a quick check there can reveal whether it has already appeared somewhere.

Many password managers now automatically check whether your stored passwords appear in such lists. If you're using a hit, change it everywhere you've used it — promptly.

My own password journey (and the embarrassing start)

I'll admit it: in 2012 I had the same password on 80 % of my accounts. A supposedly 'strong' password with special characters, mixed case and digits — and over 8 years old. That it had been published in the 2018 Adobe breach didn't reach me until 2020, when a phishing attempt on my email account was suspiciously well-targeted. The attacker had my old password, which still worked. That put me precisely in the category I now write about in lecturing fashion.

Migration took two weekends. Bitwarden installed, browser history scanned for logins, every account visited, 25-character generated password applied. 187 accounts total. 23 I couldn't open at all any more — vendor offline or account forgotten. The remaining 164 have been clean since 2020. My master password for Bitwarden is a six-word passphrase plus a digit — the only thing I have to remember any more.

What changed since: I no longer get nervous when I hear about a new data leak. On Have-I-Been-Pwned notifications I check which account is affected, click 'generate new password' in Bitwarden once, change it at the provider — done in two minutes. Before, I had panic attacks: 'oh no, now 80 accounts need changing'. That calmness is the real argument for a password manager.

Special case WordPress: why your WP admin is only as secure as your worst plugin

WordPress runs on about 43 % of all websites worldwide (2026). That ubiquity makes it the prime target for automated attacks. My WordPress server at a Telekom subsidiary saw an average of 3,000 login attempts per day in 2024 — and that was a completely unremarkable domain with a few hundred visitors. Anyone with a weak WP admin password has a compromised site within a week.

Three measures that together stop 99 % of automated attacks: (1) a strong unique admin password (25+ characters), (2) two-factor authentication (plugin like 'Two Factor' or 'Wordfence Login Security'), (3) IP-based rate limiter via plugin (Wordfence, Limit Login Attempts Reloaded). With this combo, bots no longer get through the login loop. Anyone also moving the login path from /wp-admin to something custom is effectively off the automated scan list.

If your WordPress was compromised and you've lost admin access: overwrite the password hash directly in the wp_users table via phpMyAdmin. That's exactly what our WordPress Password Hash Generator is for — enter your new password, get the PHPass hash, paste it into wp_users.user_pass, done. I've used this recovery method at clients three times in 2026; it's standard.

Passkeys in 2026: already reality today (update)

We wrote up the current numbers in a separate article [Passkeys vs. Passwords 2026: NIST 800-63-4 and the real-world rollout]: over 1 billion passkeys activated, 48 % of top-100 websites support the tech, NIST mandates phishing-resistant authentication for AAL2. Anyone setting up a new online account in 2026 should look for 'activate passkey' during onboarding — Apple, Google, Microsoft, PayPal, GitHub all have it prominently.

Practical effect day-to-day: less login friction (5 seconds instead of 30), no phishing exposure, fewer 'password forgotten' loops. But passwords aren't dead — they'll remain the default at small SaaS providers, government portals and self-hosted tools like WordPress for 5+ years. The right strategy in 2026 isn't 'abolish passwords', it's 'keep passwords strictly in the manager, use passkeys where available, run both in parallel'.

Which password manager? A short honest overview

Choosing a manager matters more than which one you pick — all modern options are secure enough. A short characterisation of the most common:

  • Bitwarden — open source, free tier for personal use, EUR 10/year for premium. Best choice for individual users and families. Cross-platform, browser extensions, mobile apps. Self-hosting possible (Vaultwarden) for maximum control.
  • 1Password — premium product, no free tier, from EUR 30/year. Best UX, professional team features, very good for small companies. If budget isn't a factor: favourite of many professionals.
  • Dashlane — mid-range, EUR 40/year. Heavily expanded 'personal data monitoring' in 2024. Solid choice, slightly smaller market share than the top two.
  • KeePassXC — fully free, fully offline. The database is a local file, you sync it yourself (Dropbox, Nextcloud, USB stick). Maximum control, minimal convenience. For privacy maximalists and IT pros.
  • Browser-built-in managers (Chrome, Safari, Firefox) — better than nothing but limited: tied to one browser, restricted sharing options, weak protection against compromised browser profiles. OK for low-stakes logins, not for banking and critical accounts.

My suggestion for 90 % of readers: Bitwarden, the free version. Works on every device, is open source, has every feature you need, costs nothing. With a family, the family plan is worth it (EUR 40/year for 6 people) — secure sharing of Wi-Fi password, Netflix account, and bank login within the household.

Frequently asked questions

How long should a password be?

For a randomly generated password from a 70+ character alphabet: 16+ characters is very robust against brute force. For Diceware passphrases: 6 or 7 words. The master passphrase of a password manager should have at least 80 bits of entropy — i.e. 6+ Diceware words or 14+ random characters from a large alphabet.

Should I change my password regularly?

Current NIST guidance says: no, not on a routine. Forced periodic changes lead users to choose small variations ("Summer2024!" becomes "Summer2025!") — security goes down, not up. Change a password when you suspect compromise or a service has suffered a breach.

Are passkeys the end of passwords?

Passkeys (FIDO2/WebAuthn) are a big step: no password is transmitted, the device holds the private key, the server only knows the public one. Phishing becomes structurally harder. Classical passwords will nevertheless be around for years — as a fallback, for legacy systems, and in environments without passkey support. Learn to live with both.

Should I rotate passwords regularly?

No — NIST SP 800-63-4 (2025) explicitly dropped the old 'change every 90 days' rule. Forced rotation demonstrably leads to weaker passwords (users pick variations like 'Summer2026!' → 'Summer2027!'), not stronger. Instead: long unique passwords, plus immediate change on suspicion of compromise (Have-I-Been-Pwned alert, phishing attempt). That's the modern 2026 best practice.

How secure is my master password?

The master password should be significantly longer than individual account passwords — minimum 16 characters or a 6-word Diceware passphrase (~77 bits of entropy). Important: write it down once physically and store in a safe place (safe, bank deposit box). Don't forget the master password — losing it means losing every other password.

What if my password manager provider itself is hacked?

LastPass was hacked in 2022 and the encrypted vault backups ended up with attackers. The risk is real. Mitigations: (1) strong master password — under AES-256 with 16+ characters, brute force is practically impossible. (2) Two-factor authentication on the manager itself (ideally with a YubiKey). (3) Offline backup of your vault every 6 months (CSV export, encrypted on USB stick). With these three measures, even a manager hack isn't a nightmare for you.

Disclaimer: This article is a general introduction and not individual security advice. For especially sensitive data (companies, critical infrastructure, high-risk profiles), consult a specialized IT security expert or follow the guidance of BSI, NIST, or ENISA.

Comments