Importance of Strong Passwords¶
Most people have been conditioned to create weak, easy-to-remember passwords—often reused across multiple sites. This makes them easy targets for attackers using automated tools or stolen credentials.
- Length matters: The longer the password, the harder it is to crack. Aim for passphrases or generated strings that are at least 12–16 characters.
- Uniqueness is critical: Use a different password for every account. This limits the damage in case one service is compromised.
- Use a password manager: Tools like 1Password can generate strong, unique passwords for every login and securely store them.
- Enable two-factor or multi-factor authentication (2FA/MFA): Always use 2FA when available. Prioritize app-based authenticators or security keys over SMS. Or better yet, use SSO or Passkeys in combination with MFA/2FA to get the strongest form of authentification.
- Passkeys are on their own a great replacement and does not require MFA/2FA or even a password. See Security > Passkeys
- See 1Password > Multi-factor/Two-factor authentication on how to use 1Password to setup MFA/2FA for an account.
- Keep passwords private: Never share your passwords, even with colleagues or IT support.
Strong password hygiene is one of the simplest and most effective ways to protect personal and organizational data.
Password Cracking Time by Length and Character Complexity (without using AI)¶
This table illustrates how password length and character complexity dramatically affect security against brute force attacks. The times shown represent how long it would take to crack a password using modern computing power when attempting all possible combinations. Passwords marked as cracking "instantly" can be broken in less than a second, while longer, more complex passwords can take millions or even trillions of years to crack. The data demonstrates why security experts recommend using passwords of at least 12 characters with a mix of numbers, uppercase and lowercase letters, and symbols.
| Length of password (characters) | Only numbers | Mixed Lower and Upper case letters | Mixed numbers, Lower and Upper case letters | Mixed numbers, Lower and Upper case letters, symbols |
|---|---|---|---|---|
| Examples: | 123456 |
eXaMpLe |
12eXaMpLe |
12eXaMpLe$* |
| 3 | Instantly | Instantly | Instantly | Instantly |
| 4 | Instantly | Instantly | Instantly | Instantly |
| 5 | Instantly | Instantly | 3 seconds | 10 seconds |
| 6 | Instantly | 8 seconds | 3 minutes | 13 minutes |
| 7 | Instantly | 5 minutes | 3 hours | 17 hours |
| 8 | Instantly | 3 hours | 10 days | 57 days |
| 9 | 4 seconds | 4 days | 153 days | 12 years |
| 10 | 40 seconds | 169 days | 1 year | 928 years |
| 11 | 6 minutes | 16 years | 105 years | 71,000 years |
| 12 | 1 hour | 600 years | 6,000 years | 5 million years |
| 13 | 11 hours | 21,000 years | 108,000 years | 423 million years |
| 14 | 4 days | 778,000 years | 25 million years | 5 billion years |
| 15 | 46 days | 28 million years | 1 billion years | 2 trillion years |
| 16 | 1 year | 1 billion years | 97 billion years | 193 trillion years |
| 17 | 12 years | 36 billion years | 6 trillion years | 14 quadrillion years |
| 18 | 126 years | 1 trillion years | 374 trillion years | 1 quintillion years |
Single Sign-On (SSO)¶
SSO (Single Sign-On) allows users to access multiple applications or systems with one set of credentials. This improves user experience and can enhance security when properly configured, as it centralizes authentication and makes it easier to enforce strong policies like 2FA.
It is a strong alternative to logins using passwords and passphrases.
However, if an SSO account is compromised, access to many connected systems may be at risk. This makes securing the primary SSO login—using strong passwords and MFA—especially important.
Passkeys¶
Passkeys are a modern, passwordless authentication method based on public key cryptography. Unlike traditional passwords, they don’t rely on shared secrets, making them highly resistant to phishing, credential stuffing, and other common attacks.
Authentication typically uses biometrics (like Face ID or a fingerprint) or a trusted device to confirm identity.
This is currently one of the most secure ways to log into websites and services, and should be used in place of traditional passwords or even SSO where possible.
Passkeys are built on open standards developed by the FIDO Alliance (Fast IDentity Online), established in 2013 to promote simpler and stronger authentication technologies. The alliance's mission is to reduce the world's reliance on passwords and protect users from credential-based threats.
In 2022, Apple, Google, and Microsoft jointly committed to supporting passkeys across their platforms and browsers. Apple introduced passkey support with iOS 16 and macOS Ventura, while Google and Microsoft began rolling out integration through Chrome and Windows.
As adoption expands, passkeys are expected to gradually replace traditional login methods, offering both stronger security and a more seamless user experience.
See Security > Passkeys.
See Passkeys.directory for a list of websites, apps, and services that offer signing in with passkeys.
Tips for Remembering Long Passwords¶
- Make a melody using the words
- Group words into meaningful pairs
- Visualize a sequence of vivid images
- Use a memorable sentence or phrase as the base
- Mix in numbers or symbols that relate to the words
- Passwords can always be changed — aim for 40 characters or more
Artificial intelligence¶
A new advanced approach to cracking passwords (PassGAN) using AI has been used to see how fast it can decrypt them:
- 51% of passwords can be cracked under 1 minute. That includes those made up to 12 numbers, and those called complex composed of 6 characters.
- 71% were inside a day, that includes those made up of 15 numbers and those called complex made up of 8 characters.
- Passwords containing 16 lowercase letters would take 23,000 years. With only numbers, 2 days. With 18 letters, 22 million years.
Impacts¶
Ex-Employees still having access...¶
A recent survey from passwordmanager.com published in April 2023 with 1,000 US workers found that:
- 47% admit to using employers’ passwords after leaving the company
- More than 1 in 4 are currently using passwords to access paid subscriptions
- Only 1 in 7 say they’ve been caught using former company passwords
- 1 in 10 say they use past employers’ passwords to disrupt company activities
The Consequences on Businesses...¶
Another survey with business leaders found that 74% of them reported suffering damages from former employees who exploited their digital access.
The most common hacks and infractions included logging into corporate social media (36%), looking through company emails (32%), and taking company files and documents (31%). More than one in four former employees even went so far as to log in to the back end of the company’s website.