Why a long password beats a clever one
P@ssw0rd! is weaker than horsebatterystaplecorrect. The math behind why length wins, without the math degree.
5 min read · Reviewed July 2026
Somewhere along the way, everyone learned the same lesson: a strong password needs a capital letter, a number, and a symbol. So we all made the same password — a word, first letter capitalized, an @ for the a, an exclamation point at the end. Attackers noticed. Every cracking tool tries those substitutions automatically, in milliseconds.
Here’s the uncomfortable truth: P@ssw0rd! falls in seconds. A random 16-character password from a generator holds for longer than the universe has existed. The difference isn’t cleverness. It’s length and randomness.
The multiplication that does all the work
Every character you add multiplies the number of possible passwords. Using letters, numbers, and symbols, each position has about 90 options. An 8-character password has 90 multiplied by itself 8 times — about 4 quadrillion combinations. Sounds like a lot, until you learn that a single modern GPU rig tests hundreds of billions of guesses per second against a stolen password database.
Add four more characters and the count grows 65-million-fold. Add eight — a 16-character password — and cracking it outlasts the heat death of anything you care about. That’s the whole trick. Not symbols. Multiplication.
Why humans lose at random
The catch is the password has to be actually random. Humans are terrible at random. We pick words, dates, keyboard walks like qwerty123, and the same substitutions everyone else picks. Cracking tools are literally built from lists of what people choose — billions of real leaked passwords, ranked by popularity, tried in order.
A generator (like the one on our homepage) sidesteps all of it. It pulls from your browser’s cryptographic random source, which has no favorite words and no birthday.
What I’d actually do
Generate 16+ random characters for anything that matters, store it in a password manager, and stop trying to be clever. For the two or three passwords you must type from memory — your computer login, the manager’s master password — use a passphrase of four or five random words instead. We wrote a separate guide on those. Length still does the work; the words just make it typeable.