"password123" is still one of the most common passwords. "123456" has been in the top 5 for years. We know passwords should be stronger, but understanding why helps more than just being told to "make it better."
How Passwords Are Cracked
Modern cracking doesn't try every combination one by one. It uses dictionaries of common passwords, leaked password databases, and common patterns. Then it generates variations: l33t speak (p@ssw0rd), adding numbers (password1), capitalizing (Password).
A computer can check billions of password combinations per second. "password123" falls in milliseconds. "Xk7#mP9$" takes centuries.
What Makes a Password Strong
Length is more important than complexity. Each additional character makes the password exponentially harder to crack. A 12-character password with only lowercase letters is stronger than an 8-character password with every character type.
Randomness matters. "MyD0g'sN4me!sButters" is memorable and strong. "John1985Smith" looks complex but is in every cracking dictionary.
The Problem with Password Rules
Forcing uppercase, numbers, and symbols often backfires. Users change "password" to "Password1"—technically meeting requirements, actually no stronger.
Instead: use passphrases. Four random words are more memorable and often stronger than short complex passwords.
Use a Password Manager
The strongest password is one you've never memorized. Use a password manager. Generate random passwords for every site. The only password you need to remember is the one for your password manager.
And please, please, enable two-factor authentication wherever possible. Passwords alone are no longer sufficient for important accounts.