What Makes a Good Password?

When creating an account, we’re often required to provide an 8-12 character password containing upper and lower case characters, a special character, a number, a hieroglyph, and a name of a Greek yogurt brand.

We are also often made to rotate (change) our password on every occurance of a yellow moon (or 30/60/90) days.

We frequently see infographics like this one, and people will proudly announce that they have a very “green” password.

And who hasn’t heard the very loud voice all over the internet that MFA must be enabled, and that it prevents password abuse?

Good intentions fuel these recommendations, but they do miss the bigger picture. And unfortunately, all of these very common requirements do us disservice by providing a false sense of security. In this article we will debunk common misconceptions, explore what attributes make-up a good password, and show you how bad actors attack each of these features, and can completely bypass even the strongest defenses.

Recommendations we make are based on our expertise as Penetration Testers for the Novacoast Attack Team (NCAT), guidance from regulatory bodies like NIST, and current research.

We would also like to note that passwords are inherently insecure, although unavoidable in legacy-compatible settings (e.g. Active Directory), thus we make recommendations for passwords where they can’t be avoided.

It should be noted that this article can’t possibly cover the complete depth of this topic—a whole book could be written on the sum of human psychology affecting passwords, types of attacks against passwords, mitigations, best practices, policies, etc.

Quick Recommendations

Before diving into technical detail, where we justify each of these points, here is the TL;DR version and recommendations:

For Users:

• All passwords should be 15+ characters minimum (NIST guidelines)
• Critical passwords (like your master passphrase) should be 20+ characters, or 4+ words long, and employ MFA (ideally hardware MFA).
• Use a passphrase for passwords you need to remember
• Use a password manager for everything else

For Policy-Makers: (Password Requirements)

Musts:

• Encourage passphrases
• Provide employees with access to password managers – and make it convenient to use! During pentests we still find plaintext “notepad” style password sheets.
• Minimum 15+ characters.
• No complexity requirements (uppercase, lowercase, symbols, etc.)
• No regular password rotation policies (Unless compromised; Fine to set for Domain Admin or similarly high privileged account types/highly technical users)
• Educate users on use of passphrases and password managers

Bonus:

• Block common and previously breached passwords
• Keep a small ban list to block the weakest passwords (disallow if contains basic strings like “password”, name of the company, etc.)
• Bonus points for a “strength indicator” on registration (OWASP recommends https://github.com/zxcvbn-ts/zxcvbn).
• Allow all printable characters and spaces

Pre-Requisites for Further Reading:

This article presumes understanding of password hashing algorithms. That is, in essence, turning some input (password) into a fixed length output. This operation cannot be mathematically reversed! Bad actors “crack” these hashes by making a guess at a password, and hashing that password themselves, then comparing resulting hash to the stolen hash.

For more extensive reading on the topic:

1. https://www.okta.com/uk/blog/2019/03/what-are-salted-passwords-and-password-hashing/
2. https://bitwarden.com/resources/what-is-password-hashing/

The Key Features Of A Strong Password

1. Uniqueness – absolutely critical, and most important aspect of password creation

Why Uniqueness matters: Your pasword has to be unique. If it is not, then there is a chance that a bad actor has recovered this password from another service and therefore gains instant access over this account as well. Never give attackers 2-4-1! This also applies to passwords that are similar. We often see the same users rotate one word but keep the rest of the password the same. In other words: the same pattern is replicated across all of their password. BlueSky1! becomes GreenGrass1!, or !GoodPassword123 becomes !GreatPassword456. These passwords may seem different, but they follow the same structure and are very commonly used across the internet. Finally, if users are forced to regularly change their passwords, they stop looking to create unique phrases – they most often start cycling numbers: BlueSky1! becomes BlueSky2! becomes BlueSky3!. This one is on you, policy makers! 😃

What it means: Unique means different from all your other passwords AND different from anyone else’s on the internet AND unbreached.

Rules:

• DO NOT USE ANY PASSWORD YOU ALREADY USE FOR ANOTHER SERVICE
• Don’t rely on simple substitution. If your password is “pinkbike1!”, making it “redbike2@” does NOT count.
• Always generate from scratch. Don’t use common themes, words of patterns.
• If your password gets breached, change it.

Why it matters: This is critical but too often dismissed as inconvenient. Password reuse is the #1 way credential stuffing attacks succeed. Also, breach of an account affects only that account, rather than multiple – and thus reduces stress!

Solution: Use a password manager. Nobody expects you to remember 50+ unique passwords that you need to juggle on a daily basis.

2. Randomness – Mathematically secure, but impractical.

Why randomness matters: Using anything less than truly random introduces bias — you inject how you think, and encode a pattern into your password. Bad actors analyze millions of leaked passwords for common patterns and encode these as “rules” to rapidly improve their odds of guessing.

Example of non-random: “Password123456789!”

• 18 characters
• Has uppercase, lowercase, numbers, symbols
• Would be cracked instantly…

Another example of non-random: “!MyCompanyName2025”

• 18 characters
• Has uppercase, lowercase, numbers, symbols
• Would be cracked instantly…

Why it matters: These passwords are amongst the top few we regularly see when attacking passwords (Notice how the “complexity” requirement is met, but the pattern is easily guessable). There exist long lists of commonly used passwords and patterns and attackers will always try to make use of those resources before resolving to pure bruteforce.

Better: “81268491634553261” (same length, every digit random)

• Requires brute force of 18-digit number (10^18 or 1,000,000,000,000,000,000 combinations)
• Notice that the “complexity” is incredibly low, but still a lot of guessues would have to be made purely due to length
• Very hard to remember

Much better: “xfpcexnfgurponbgvi” (same length, every character random)

• Requires brute force of 18 characters (26^18, or 2,947,951,000,000,000,000,000,000 combinations)
• “complexity” is still low, but significantly higher than number only
• Still very hard to remember

Alternative: “QuestJudgeSecond” (each word generated randomly, totals 16 characters)

• Presuming we sample AT RANDOM the entire English language which contains ~ 1 million words
• Presents the same guess space as an 18 digit random number*
• Is much much simpler to remember

*In reality the attacker would also need to know whether to capitalise each word, whether they are seperated, and if so by what (space, hyphen,comma, etc.), thus making it significantly more difficult to guess.

3. Length – Do not go gentle.

People like to discuss what the password length should be, and it makes for a good sport to produce one of those tables where a color indicates how strong a password is. Here is the problem: These tables are totally misleading on their own. Hivesystems provide quite comprehensive research and produce their own blogpost and I do encourage you to read them in their entirety, but I urge you to ignore the tables on their own.

How long should your password be?

1. This depends on the type of attack your password is meant to withstand. For simplicity we will presume the worst-case scenario where the attacker got hold of the password hash and can run an offline brute-force.
2. This depend on the hashing algorithm used, and should be crucial in deciding what length you should aim for as a user or what requirement to set as a policy maker. In Active Directory, passwords are stored in backward-compatible NTLM format, which is incredibly weak. For most websites built on PHP, the default hashing algorithm is bcrypt, and minimum required length will vary depending on the “cost” function. In 2025, the default is 10.

If your password is completely random, consist of only lower-case characters, and we presume the attacker is using a budget <$1000 GPU/CPU machine for offline cracking:

• Against NTLM hash cracking: 15+ should be sufficient
• Against bcrypt (cost 10) hash cracking : 12+ characters is sufficient
• But be sure to measure your risk level appropiately. The adversary could have access to computer clusters/cloud/extensive hardware, and easily multiply their cracking power.

4. Complexity: When math becomes victim of the human psychology

The math: More character types leads to exponentially more possibilities, as we raise the number of possible choices to the number of characters to get the “guess space”. Math can get complicated, but let’s assume you are unlucky and you make a correct guess only when you’ve exhausted all other possibilites. So to guess a one digit number, you would need to make 10 guesses.

• 8 digits: 1-in-100,000,000 chances (10^8)
• 8 lowercase letters: 1-in-208,827,064,576 chances (26^8)
• 8 mixed case: 1-in-53,459,728,531,456 chances (52^8)
• 8 characters + symbols: 1-in-576,480,100,000,000 chances (60^8)

The reality: Humans are bad at producing random sequences. For example, you’re more likely to use special characters at the beginning or end of your password. Even though using one of 8 classic special characters should technically exponentially increase number of needed guesses, it will in reality only increases the number of guesses by 16 time – a decent increase, but not exponentially more as maths would have us believe.

Recommendation: Forget about complexity. Focus on creating unique, long and random passwords. Complexity is just a little bonus, and if you are using a password manager then by all means tick all the boxes! Skip it if you can’t make it random and have to remember the password — just compensate with length.

5. Memorability (When Required)

General rule: Avoid if you can. Memorable is usually easier to guess, for reasons explored previously.

Exception: When you MUST remember it (like your password manager’s master password).

Solution for memorable passwords:

• Focus on length over complexity
• Use passphrases with 4+ random words. Check the math at [3. Randomness], and you will see that each new word multiplies your “guessing space” by a million. Four words give a septillion (trillion of trillions) combinations (1,000,000,000,000,000,000,000,000!)
• Use a password manager to generate a passphrase made up of random words.
• Examples: “FantasticBeaverRamagesCalifornia” or “helicopter perseverance house luxurious”, “shot-voyage-differ-author”.
• Separate with capitals, spaces, hyphens or anything you find makes it most readable.

Types Of Password Attacks

Passwords can be attacked via:

1. Password Spraying

• What it is: Trying one common passwords against many accounts.
• Defense: Don’t use common or default passwords like “Password1!”, “Welcome2025”
• Difficulty for attacker: Low effort, high success rate against weak passwords

2. Credential Stuffing

• What it is: Using leaked password lists from other breaches – often part of OSINT phase of pentesting engagment
• Defense: Don’t reuse passwords between sites or services. Each deserves its own.
• Difficulty for attacker: Low effort if you reuse passwords

3. Online Brute Force

• What it is: Systematically guessing passwords through the login interface.
• Defense: Depends on service provider’s rate limiting
• Attack speed: Hundreds of guesses per second (if no rate limiting)

4. Offline Brute Force (Password “Cracking”)

• What it is: Attacking stolen password hashes with dedicated hardware
• Defense: Use very long passwords; If you have control, use a hashing algorithm with high cost (e.g. bcrypt cost 12)
• Attack speed: With a $500 GPU like RTX4070 Ti, we can make ~130 billion hash guesses per second against Active Directory hash types “NTLM” (MD4) or ~100,000 hash guesses per second against commonly used hash type by websites (bcrypt cost 5) [https://hashcat.net/forum/thread-12051.html]. Of course if the attacker has access to multiple GPUs/CPUs, it will mean they can multiply the speed of guesses. For example, the hardware used to train ChatGPT-4 is thought to have used 25 THOUSAND A100 GPUs [https://www.arxiv.org/pdf/2405.16256v1]. Each such GPU has about 3x the power of RTX4070Ti [https://gist.github.com/Chick3nman/d65bcd5c137626c0fcb05078bba9ca89].

Important: When creating passwords, assume they will face offline brute force attacks. This ensures maximum security across all scenarios.

Does MFA prevent these attacks?

MFA is certainly a usefull tool/technique, has many benefits, and you should enable it if you can. It is capable of stopping all of the above mentioned attacks, by simply requiring another step in the verification process, making knowing the password “not enough”. However, and I can’t stress this enough, MFA can mean many things and some are weaker than others – MFA does not make you immune to getting owned, and can be bypassed or broken. More on that in a future blog.

The general consesus is that migrating to passwordless types of authentication is the best way of mitigating the risk of passwords. Passwords are a convenient and outdated way to authenticate users, but inheritely insecure. A password can be attacked 24/7/365, and making it longer is meant as a safety net against guessing power of the attacker. Moreover, the complexity or length can be completely bypassed by socially engineering the user to give it up.

The Solution: Making Strong Passwords Practical

For Individual Users:

Step 1: Get a Password Manager

Choose a reputable password manager and secure it with a strong master passphrase.

Step 2: Create a Strong Master Passphrase

Spend time creating a 20-30+ character passphrase using random words. For maximum randomness, use your password manager’s passphrase generator and memorize the result. If this sounds ridiculously long, then check the previous section! I can guarantee you that “FantasticBeaverRamagesCalifornia” is pretty easy to remember and packs a whooping 37 characters!

Step 3: Generate Unique Passwords for Everything Else

Every time you register for a new service:

1. Add entry to password manager
2. Generate password of at least 16 symbols (Or go crazy… it can be 128 characters – you don’t have to remember it, it’s stored in the password manager!)
3. Copy, paste, done

Result: Absolutely unbreakable passwords for every service, from your bank to that vacuum cleaner website you’ll never visit again.

For Organizations and Policy-Makers:

The traditional approach of “8-12 characters, uppercase, lowercase, number, symbol, change every 90 days” is broken.

The Problem with Traditional Policies

• Users create predictable patterns like “Company123!”
• Length limits prevent genuinely strong passwords
• Forced changes lead to “Password1!” → “Password2!” cycling
• Dictionary restrictions make passphrases impossible

Evidence-Based Requirements

Standard Business (Recommended for most users)

• Minimum 15 characters, no maximum
• No complexity requirements
• Breached password checking (HaveIBeenPwned API)

High Security (Recommended for Domain Admins, Root accounts etc.)

• Consider going entirely passwordless!
• When passwords can’t be avoided: Minimum 20 characters, no maximum
• No complexity requirements
• Mandatory breach checking
• MFA required for all access
• Hardware keys for admin accounts

Why This Works Better

• Users create stronger passwords when not constrained by arbitrary complexity rules
• “MyDogLovesToEatPizzaOnFridays” is infinitely stronger than “P@ssw0rd1!”
• Longer passwords defeat all attack types more effectively than complex short ones
• Users stop cycling through predictable patterns

Quick Reference Summary

Scenario	Minimum Length	Approach
Password manager master	20-30+ characters	Memorable passphrase (4-5+ random words)
Work/High-value accounts	20+ characters	Password manager generated
All other accounts	15+ characters	Password manager generated

Key Takeaways

What to do:

• Use a password manager for everything possible
• Make your master passphrase a long and memorable
• Generate unique, long, random passwords for each service
• Enable MFA wherever available

What not to do:

• DON’T Reuse passwords across services
• DON’T Rely on simple substitutions (password → p@ssw0rd)
• DON’T Trust complexity over length
• DON’T Change passwords regularly (unless compromised)

Look for more future articles on password security, brought to you by your friendly penetration tester.