Modern GPU (RTX 5090) can test:
- 100+ billion MD5 hashes per second
- 30+ billion SHA-256 hashes per second

What this means for your password:
"password"     → Cracked instantly (in breach databases)
"P@ssw0rd"     → Cracked in seconds (common substitution)
"Tr0ub4dor&3"  → Cracked in hours (predictable pattern)
"j8#kL9$mN2@pQ" → Years to centuries (true random)

Average cost of a data breach: $4.45 million (2025)
81% of breaches involve weak or stolen passwords
60% of people reuse passwords across multiple sites
Average person has 100+ online accounts

One weak password = potential access to everything you own

Entropy (bits) = log₂(possible combinations)

Character sets and their sizes:
- Lowercase only (a-z):     26 characters
- + Uppercase (A-Z):        +26 = 52 characters
- + Numbers (0-9):          +10 = 62 characters
- + Symbols (!@#$%...):     +32 = 94 characters

8-character password entropy:
- Lowercase only: 26⁸ = 209 billion combinations (37 bits)
- Mixed case + numbers: 62⁸ = 218 trillion combinations (48 bits)
- All characters: 94⁸ = 6 quadrillion combinations (52 bits)

Password Comparison:

"P@$$w0rd" (8 chars, complex)
- Entropy: ~30 bits (common substitutions reduce it)
- Crack time: Hours to days

"correcthorsebatterystaple" (25 chars, simple words)
- Entropy: ~44 bits (4 random words)
- Crack time: Years to decades

"k8#Lm9$nP2@qR5&tY7*" (20 chars, random)
- Entropy: ~131 bits
- Crack time: Longer than the universe exists

Method: Try every possible combination
a, b, c, ... aa, ab, ac, ... aaa, aab...

Defense: Use longer passwords
- 8 characters: 94⁸ = 6 quadrillion combinations
- 12 characters: 94¹² = 475 sextillion combinations
- 16 characters: 94¹⁶ = 37 octillion combinations

Each additional character multiplies crack time by 94x

Method: Try common words and passwords first
password, 123456, qwerty, letmein, admin...

Common patterns also tested:
Password1, P@ssw0rd, Summer2025!, Welcome123

Defense: Avoid dictionary words and common patterns
Use truly random characters or random word combinations

Method: Pre-computed hash lookup tables
Instead of computing: password → 5f4dcc3b5aa765d61d8327deb882cf99
Just look it up in a table!

Defense: Use passwords not in rainbow tables
- Long random passwords aren't in tables
- Sites should use salted hashes (adds unique value to each password)

Method: Use breached username/password pairs on other sites
You used "cat123" on Site A (which got breached)
Attackers try "cat123" on Sites B, C, D, E, F...

Defense: NEVER reuse passwords across sites
Each account needs a unique password

Method: Guess based on personal information
Pet names: fluffy2020
Birthdays: john0315
Favorite teams: yankees99
Address numbers: elm123street

Defense: Never use personal information in passwords
Random passwords have no personal connection

Recommended length: 16+ characters
Include: uppercase, lowercase, numbers, symbols

Examples of strong random passwords:
k8#Lm9$nP2@qR5&t
Yx7!Kp$3mN@9Lq2W
Bf#5Rx@9Tm$2Np7K

These have ~105 bits of entropy
Would take trillions of years to crack

Method: Use 4-6 random words (not related phrases)

❌ Bad passphrases (predictable):
 "ilovemydog" (common phrase)
 "onetwothreefour" (sequential)
 "tobeornottobe" (famous quote)

✅ Good passphrases (random words):
 "correct horse battery staple"
 "wizard bloom carpet frozen"
 "velvet thunder pickle ancient"

Even better - add some randomness:
 "correct2Horse!battery_staple"
 "Wizard-bloom7Carpet#frozen"

Start with a memorable sentence:
"I graduated from Harvard in 2015 with honors!"

Take first letter of each word + numbers + symbols:
"IgfHi2015wh!"

Enhance with substitutions:
"1gfH!2015wh!"

Result: 12 characters, memorable, relatively strong
(But still not as strong as true random)

Benefits:
✓ Generate strong unique passwords for every site
✓ Remember hundreds of passwords for you
✓ Auto-fill credentials securely
✓ Alert you to breached passwords
✓ Sync across all devices

Popular options (2026):
- 1Password
- Bitwarden (open source)
- Dashlane
- LastPass

You only need to remember ONE master password

Your master password should be:
1. Long: 20+ characters minimum
2. Memorable: You can't look it up!
3. Unique: Never used anywhere else
4. Random: Not predictable

Good master password strategy:
- Use a passphrase: "purple-elephant-dancing-42-moons!"
- Add personal randomness only you'd know
- Practice typing it until it's muscle memory

Store backup in a physical safe (not digitally)

2FA adds a second layer of security:
Something you know (password) + Something you have (phone/key)

Types of 2FA (best to worst):
1. Hardware keys (YubiKey) - Most secure
2. Authenticator apps (Google Authenticator, Authy)
3. SMS codes - Better than nothing, but vulnerable

Enable 2FA on:
✓ Email (most critical!)
✓ Financial accounts
✓ Social media
✓ Password manager
✓ Any account with sensitive data

Check if your credentials have been breached:
- haveibeenpwned.com - Check email addresses
- Your password manager's breach monitoring

If breached:
1. Change password immediately on that site
2. Change password on any site where you reused it
3. Enable 2FA if available
4. Monitor accounts for suspicious activity

❌ Easily guessed from social media:
 - Pet names: "fluffy2020"
 - Birthdays: "mike0315"
 - Anniversaries: "married2018"
 - Children's names: "emma&jack"
 - Addresses: "elm123st"
 - Phone numbers: "5551234"

✅ Use completely random characters
 - No connection to your life
 - Can't be guessed from research

❌ These substitutions are well-known to crackers:
 a → @, 4
 e → 3
 i → 1, !
 o → 0
 s → $, 5

"P@$$w0rd" is barely better than "Password"
Crackers try these substitutions automatically

✅ Use truly random placement of special characters

❌ Common patterns attackers check:
 "qwerty", "qwertyuiop"
 "asdfgh", "asdfghjkl"
 "zxcvbn"
 "1qaz2wsx"
 "!QAZ@WSX"

These look random but aren't
Pattern-based attacks crack them quickly

✅ Use actual randomness, not visual patterns

❌ Sequential patterns:
 "123456", "abcdef", "111111"
 "abc123", "password1234"

❌ Year patterns:
 "Summer2025", "Company2026"

These are among the first combinations tried

✅ Each character should be independent of the others

Tier 1: Critical (use strongest possible)
- Email accounts (gateway to password resets)
- Financial accounts (banks, investments)
- Password manager master password
Recommendation: 20+ characters, random, unique

Tier 2: Important (use strong)
- Social media
- Shopping sites with saved payment
- Work accounts
Recommendation: 16+ characters, random, unique

Tier 3: Standard (use reasonably strong)
- Forums, newsletters
- Services without sensitive data
Recommendation: 12+ characters, unique

NEVER reuse passwords across tiers

DO:
✓ Use 16+ character random passwords
✓ Use a password manager
✓ Enable 2FA everywhere possible
✓ Use unique passwords for every account
✓ Check for breaches regularly
✓ Change passwords if compromised

DON'T:
✗ Use personal information
✗ Use dictionary words
✗ Use common substitutions (@ for a)
✗ Use keyboard patterns
✗ Reuse passwords across sites
✗ Share passwords (even with family)
✗ Store passwords in plain text