Best Combination of Letters, Numbers and Symbols in Passwords

Welcome to the forum, @1Douglas! Thanks for the kind words; we're glad you enjoy 1Password.

We've actually published numerous guides over the years on what makes a password strong. Because we're 1Password, the only password we're really concerned with is your Master Password, since that's the only one you have to remember, and you can read our current best practices here.

However, for all other passwords - like the ones you use our password generator to create for websites you belong to - the same principles regarding strength apply...except you can really stretch out, since you won't have to remember them. In general, password generated from random characters will be stronger than one from random words, for the same total number of characters. My own passwords for various sites on the web tend to be the longest number of characters the site will permit, with a few symbols and numerals thrown in.

Why not more numerals? Because there are fewer of them, and thus less entropy per random numeral than per random letter (especially if using upper and lower case). Part of the reason there are various opinions is that there are different ways to calculate entropy, but here's a pretty good way to think think about/gauge it:

I will say that in the real world, there's a limit to how much additional benefit you get from longer passwords, even well-constructed, truly random ones. The mathematically-measurable benefits don't diminish, of course (this is what's reflected by calculations of password entropy), but a truly random password of 23 characters will be equivalent to about 128 bits of entropy. You may wonder: why stop there? Why not fill pages with randomness, why not have a password that looks like an RSA 4096 bit PGP key?

That's where the "real world" bit is relevant: the main reason websites don't allow such long passwords is that users may sometimes be in situations where they have to type this password in to sign into their account. If it's thousands of random characters long, that's going to be a serious impediment to usability. But beyond the human usability factor, have a look at that chart -- an adversary with the ability to make 100 trillion guesses per second would be on the order of a state-level actor. At that level (and that doesn't take into account the PBKDF2 we employ to slow guessing speed), a 120-bit password (note: not even 128, just 120 bits) would require in the hundreds of trillions of years to guarantee a brute force crack.

So: if you want to have that level of assurance that your password is safe, choosing 23 characters, with a couple of numbers and symbols will do quite nicely. If you feel like you need more, you can make it longer, as long as the site allows it. And in all cases, 1Password can remember it for you and make it easy to submit.

Wow. On behalf of Lars and the rest of the team here at AgileBits — including those who spend most of their time on things other than the forums, which in turn support those of us here — thank you for the kind words, and for your support. We couldn't do what we do without you and the rest of our awesome customers. :chuffed: