Come verificare la forza della password: cosa la rende sicura
Impara a valutare la sicurezza delle tue password.
What makes a password secure: the real factors
Password strength is measured by entropy — possible combinations. More = longer to crack.
Increasing entropy: Length (most important), character pool (lowercase+uppercase+numbers+symbols = 95), randomness (crucial).
What does NOT indicate strength: Letter→number substitution (P@ssw0rd → attackers try this first), adding "1!" at the end, personal data.
Generate secure passwords with the NexTools password generator.
How long to crack your password
With modern GPU (RTX 4090, ~10 billion hashes/sec for MD5):
| Type | Example | Crack time |
|---|---|---|
| 6 chars lowercase | hqkmpz | Instant |
| 8 chars mixed+number | hQ3kMp9z | ~8 hours |
| 12 chars all included | hQ3!Mp@zK9#w | ~600K years |
| 16 chars all included | hQ3!Mp@zK9#wR5&n | ~1 trillion years |
| 5-word passphrase | horse-battery-sun-cloud-red | ~89 years |
See our hash security guide.
Common attacks against passwords
1. Brute force: Try all combinations. Effective against short passwords.
2. Dictionary: Common words and variations. Attack dictionaries have millions of real leaked passwords.
3. Credential stuffing: Using leaked passwords from one service on others.
4. Phishing: Fake sites. Defense: 2FA + verify URLs.
5. Keylogger: Malware recording keystrokes. Defense: antivirus + 2FA.
For passphrases, read passphrase vs password.
Most common passwords in 2026 (and why they're terrible)
Top 10 (NordPass 2025): 123456, 123456789, 12345678, password, qwerty123, qwerty1, 111111, 12345, secret, 123123.
All crack in under 1 second. If you use any, change NOW.
Generate a secure one with the NexTools generator.
2FA (two-factor authentication): the layer that saves you
Types (most to least secure):
- Hardware key (YubiKey): Phishing-immune. Most secure.
- TOTP (Authenticator apps): 6-digit code every 30s. Very secure.
- Push notifications: Secure if you verify content.
- SMS: Vulnerable to SIM swapping. Worst 2FA but better than none.
Google reports 2FA blocks 99.9% of automated attacks.
Password managers: the definitive solution
Flow: Install manager (Bitwarden free, 1Password premium) → 5+ word passphrase as master → generate random 16-20 char password for each account → enable 2FA on important accounts.
Common objection: "If they hack the manager, I lose everything." Your database is AES-256 encrypted with your master password. Without it, impenetrable. Bitwarden and 1Password have been independently audited.
For passphrases, use the NexTools passphrase generator.
Password rules in 2026: what changed
OBSOLETE (pre-2017): Change every 90 days (causes worse passwords), require mixed case+numbers+symbols (doesn't help if short), security questions (guessable via social media).
CURRENT (NIST SP 800-63B): Minimum 8 chars (recommend 15+), check against leaked password lists, allow passphrases, DON'T force periodic changes, DON'T require specific composition, DO implement 2FA.
How to check if your password was leaked
Have I Been Pwned: 12+ billion leaked accounts indexed. Uses k-anonymity: your full password NEVER leaves your computer. Only first 5 chars of SHA-1 hash are sent.
If leaked: Change immediately on ALL services. Generate new with the NexTools generator.
Prova questo strumento:
Apri strumento→Domande frequenti
How long should a secure password be
Minimum 12 characters for random passwords. Recommended 16+ for important accounts. For passphrases: 4+ random words. Length matters more than complexity.
Is it safe to use the same password on multiple sites
No. If one site is breached, attackers try that password everywhere (credential stuffing). Use unique passwords per service via a password manager.
Does changing passwords every 90 days improve security
No. NIST removed this rule in 2017. Periodic changes cause worse passwords (Password1→2→3). Only change if suspected compromise or found on Have I Been Pwned.
Is P@ssw0rd! a secure password
No. Letter→number substitutions are in all attack dictionaries. Attackers try them automatically. Cracks in seconds.
Is 2FA really necessary with a good password
Yes. Even perfect passwords can leak. 2FA blocks 99.9% of automated attacks per Google. Most impactful security layer you can add.
Is it safe to save passwords in the browser
Moderately. Chrome/Firefox encrypt with OS credentials. Better than reusing passwords but worse than dedicated managers (Bitwarden, 1Password) which offer vault 2FA and security audits.