Why "P@ssw0rd!" still gets you hacked — and what to do instead

There's a common belief that making a password "complex" — mixing in capital letters, numbers, and symbols — makes it secure. It's the logic behind every IT department's password policy from the early 2000s. And it's wrong.

P@ssw0rd! is not a strong password. It scores 0 out of 4 on a realistic strength meter and would be cracked in under a second in an offline attack. Yet it checks every box on a traditional complexity checker: uppercase, lowercase, number, special character, 9 characters. How is this possible?

The problem with complexity rules

Traditional password strength meters count character types. More types = higher score. The logic seems reasonable until you realize that attackers don't brute-force character by character — they start with dictionaries.

Modern password cracking tools like Hashcat and John the Ripper don't try aaaaaaa, then aaaaaab. They start with the most common passwords from breach databases, then apply rules: capitalize the first letter, add ! at the end, substitute @ for a, substitute 0 for o. These rule sets are built from analyzing billions of real passwords that humans actually choose.

What the data says

In breach analysis of hundreds of millions of real passwords, some consistent patterns emerge:

• Over 60% of passwords follow predictable base-word + number + symbol patterns
• The most common symbol appended to passwords is !
• The most common number appended is 1 or 123
• Leet-speak substitutions add fewer than 10 additional guesses to a cracker's list

What actually makes a password strong?

Two things matter above everything else: length and unpredictability.

Length is powerful because it multiplies the search space exponentially. Every additional random character roughly doubles the time needed to crack the password. A 16-character truly random password is astronomically harder to crack than a 9-character "complex" one.

Unpredictability means the password can't be predicted from patterns, words, or rules that attackers model. This is where human intuition fails us — we're bad at generating randomness, and our "random" choices are far more predictable than we think.

The two proven approaches

1. Long random passwords (with a manager)

Use a password manager to generate and store a truly random 16–20 character password for every account. You don't need to remember it — the manager does. Something like kX#9mQ2vLpR7nWz4 is essentially uncrackable with today's hardware.

2. Passphrases (for passwords you must type)

For passwords you need to remember — like your computer login or password manager master password — use a passphrase: four or more random words. correct-horse-battery-staple is famously stronger than Tr0ub4dor&3 despite being easier to remember. The key word is random — don't pick words that relate to each other or to you.

What about password rotation policies?

Many organizations still force password changes every 90 days. NIST's latest guidelines (SP 800-63B) now recommend against mandatory periodic rotation unless there's evidence of compromise. Why? Because forced rotation leads to weaker passwords — people just increment a number (Password1 → Password2) or make minimal changes that attackers model anyway.

The better policy: use a strong unique password, enable 2FA, and only change it if the service reports a breach.

The bottom line

Stop thinking about complexity. Start thinking about length and randomness. P@ssw0rd! is not a strong password no matter how many rules it satisfies — it's a dictionary word with a handful of predictable modifications. A randomly generated 16-character string or a four-word random passphrase will protect you. A leet-speak substitution will not.

Use our password checker to see how your current passwords score, and our generator to create ones that will actually hold up.