Is there any point in using 'strong' passwords?

Brute-forcing even 'strong' passwords is becoming trivial when you have the password hash, and this situation will only get worse.

This is not true. A highly random password is near impossible to bruteforce given that the web application in question is using a strong hashing algorithm like bcrypt or pbkdf2. On the other hand, weak passwords are laughably easy to bruteforce even if a strong hashing algorithm is used.

So yes, there is merit to using a strong password.


No password is unbreakable, but they don't have to be unbreakable. They only have to outlast an attacker's patience. Even when someone steals the hashes, they typically decide after the first few million that they've got enough passwords, and if yours hasn't been cracked by then, it is still safe.

That's the thing about strong passwords. The only measure of strength you really need is that it has to be stronger than the passwords everyone else is using. But since you have no idea what that might mean (because you don't know the other users' passwords), the best way to go is to make yours as strong as possible.


When a strong password is also a long password, you have the benefit of it being difficult to shoulder surf.

Some sites and services have APIs that consume user account credentials - unless they are also rate-limited and protected from IP spoofing, they become another attack channel with a faster brute forcing rate.

Chances are if you are using a short password, it didn't come from a password generator - which means the password isn't going to very random. Humans are dreadful at picking random numbers.

If normal password managers a little to slow to navigate with mouse and keyboard; there are fingerprint and proximity auto-login devices on the market.

If the website is spammy and of low value to you, you might opt for a weak memorable password. But it can be very difficult to anticipate the future value of any information or service you have merged with the website. Some website might have Terms of Service holding users liable for damages incurred from breaches due to a weak password (assuming they knew).