Skip to content

Is my password strong enough

By the Password Rangers teamUpdated 6 min read

Probably not, if you invented it yourself. A strong password is 16 or more random characters, or five or more random words, and it protects exactly one account. Most passwords people make up by hand fail at least one of those tests. The good news is that you can check yours in about a minute, and fixing a weak one takes five.

The 60 second self-audit

You can audit a password without any tools. Ask four questions. Is it shorter than 15 characters? Does it contain a name, date, or real word? Do you use it anywhere else? Has it ever appeared in a breach? A single yes means the password should be replaced, not patched.

  1. Is it shorter than 15 characters? NIST's current guidance, SP 800-63B, recommends at least 15 characters for any account protected by a password alone. Length is the single biggest factor. Against an offline attacker making 10 billion guesses per second, a random 8 character mix of letters, digits, and symbols falls in about 2 days on average. A 16 character one holds for about 14 trillion years.
  2. Does it contain a name, date, or word? Pet names, birthdays, football clubs, "Summer2026", keyboard runs like qwerty. Cracking software tries dictionary words with the usual swaps (a to @, o to 0) before anything else, so these fall almost instantly no matter how long they are.
  3. Do you use it anywhere else? A password shared between two accounts protects neither of them. More on why below.
  4. Has it appeared in a breach? Passwords from old leaks live on public wordlists forever. If it leaked once, anywhere, it will be among the first guesses tried against every account you own.

One yes is enough. Replace the password rather than tweaking it. Adding an exclamation point to the end or bumping a 1 to a 2 are the first mutations cracking tools try.

How to test your password safely

Use a checker that runs entirely on your own device and sends nothing over the network. Our password strength checker works that way: the estimate is computed in your browser, and you can open the Network tab in DevTools while you type to confirm that no request leaves the page.

The result is shown in bits of entropy, which is just a count of how hard the password is to guess. Every added bit doubles the attacker's work. At 51 bits (8 random mixed characters), an offline attacker at 10 billion guesses per second needs about 2 days on average. At 77 bits (12 characters), about 259,000 years. The times shown are the average case, meaning the attacker finds the password after searching half the possibilities. Our guide on how long a password should be walks through the full table.

Be careful with checkers on sites you don't know. Anything you type into a web form can be logged by that site, so a shady "test your password" page is a collection tool with extra steps. If you're unsure about a checker, test a made-up password with the same structure as yours instead of the real thing. We cover how to judge these tools in are online password generators safe.

Reuse turns one breach into many

A reused password is only as strong as the weakest site that stores it. When any one of those sites gets breached, attackers take the leaked email and password pairs and replay them against banks, email providers, and shops automatically. That technique is called credential stuffing, and it involves no cracking at all.

This is why reuse fails the audit even when the password itself is long and random. The attacker isn't guessing, they're copying. Bots can test a leaked pair against hundreds of services in minutes, and they run around the clock. You can see which known breaches include your email address at haveibeenpwned.com. If any breached account shared its password with other accounts, change every one of them, not just the account that leaked.

How to fix a weak password properly

Generate a random replacement, store it in a password manager, and turn on multi-factor authentication. Start with your email account, because anyone who controls your inbox can reset nearly every other password you own through account recovery links. Email is the master key, so it gets the strongest lock first.

  1. Generate, don't invent. Use a strong password generator set to 16 or more characters, or grab five or more random words from our passphrase generator for anything you'll type by hand. Human choices are the exact problem you're fixing, so don't make the replacement yourself.
  2. Store it in a manager. You shouldn't be able to remember a good password. Let the manager hold it and memorize only one strong master passphrase.
  3. Turn on MFA.CISA lists multi-factor authentication alongside strong passwords as one of its four core security behaviors. With MFA on, even a stolen password isn't enough on its own.
  4. Work in priority order. Email first, then banking, then anything holding a saved card, then the rest as you happen to log into them. You don't need to fix 200 accounts in one sitting.

Signs your password was already compromised

Password reset emails you never requested, sign-in alerts from unfamiliar locations or devices, messages sent from your account that you didn't write, and a breach notice naming a service you use are the common signals. Any one of them means the password may already be in someone else's hands, so act now.

From a device you trust, change the password on the affected account first, then on every account that shared it. Sign out all active sessions if the service offers that option. Check that your recovery email, phone number, and any mail forwarding rules haven't been changed, because attackers quietly edit those to keep a way back in. Then enable MFA before you move on.

"Strong enough" has a plain definition: random, at least 16 characters or 5 words, and used in exactly one place. If your password misses on any of those, the audit above found it, and the fix takes minutes.