Strictly speaking, a password is an unknown quantity. (If the attacker knew it, they would just use what they know.)

Using what they know is what makes a password weak. If I know you used your Lastname and birthday as your password, I would have many less combinations to check than if I know nothing about it (or you.)

Assuming you have no shortcuts to guess a password, you're stuck trying EVERY possible valid password until you figure it out. If I know you only used lower case letters (and nothing else) and I know your password is no longer than 12 characters, then I would try every possible combination of lower case letters from every length from 1 to 12. This is 26 possibilities for the length 1 password, 26*26 possibilities for the length 2 password, 26*26*26 possibilities for the length three password, and so on up 26^12 for the length twelve password. If we add all these together, we get 26^1 + 26^2 + 26^3 + 26^4 + 26^5 + ... + 26^12. Mathematically this is just slightly larger than 26^12. Here's a worked example for a three character password:

Code:

```
26 + 26*26 + 26*26*26
26(1 + 26 + 26*26)
26*26 (1/26 + 1 + 26)
26*26*26 (1/26*26 + 1/26 + 1)
```

as you can see, when you factor out the powers of 26, you're left multiplying by a number just slightly larger than one, for the above example it's 1.039940828402366863905325443787 according to Windows calculator.

We can effectively round this to just the largest power, or 26^12. (Since it's okay to underestimate the actual strength, and also because in any attack, statistically you're likely to find the password at the half-way point, on average.)

That last bit is worth spending some time thinking about. If your 12 character password is "aaaaaaaaaaaa" then potentially my first guess with guess your password. (If I am working in the obvious linear approach.) So you conclude that the strongest password would be "zzzzzzzzzzzz". The problem with that is that not every attacker is going to try a strictly linear approach. They might assume that trying all 26 passwords composed of a single letter first is a good shortcut.

Accordingly, your absolute best password is one that is COMPLETELY random. And if you use a password manager, that remembers it for you, then you can easily achieve this "gold standard."

Based on complete randomness, and assuming your attacker can go very fast, let's assume they can try one billion passwords per second. 26^12 divided by one billion means it will take your attacker 95,428,956.7 seconds which is just over 3 years. Which based on averages, is actually 1.5 years, on average.

Now, lets make that 12 character password even stronger. Lets add in 26 more characters, the upper case ones. Now you have a strength of 52^12, and that will take 390,877,006,486.3 seconds, or just over 12,386 years (or half that, 6,193 years, on average.) As you can see, increasing the variety of each possible character makes the job for the attacker exponentially more difficult.

If you add in punctuation and numbers, lets call that 80 possible characters, then you have 80^12 divided by one billion is 68,719,476,736,000 seconds, or 2,177,588.9 years (again, half that, or 1,088,794 years, on average.)

So now that we've established that it is much better to have maximal variety in characters, now let's see what happens with length.

If I switch to 13 characters, instead of 12, and rework all the numbers, here's the results:

26^13 -> 78.6 years

52^13 -> 644,079.5 years

80^13 -> 174,207,105 years

So by adding one additional character, we went from 3 years to 78, from 12k years to 644k and from 2.1M years to 174M.

So here's your best approach: use a password manager, and have very long random passwords. If that is not possible, (say for your password manager password) then use as long of a quality password as you can remember, and then lengthen it somehow by using the repeat method. You don't HAVE to append at the end, you can do it anywhere... maybe you go with a password like My$trong..........$trong........Pass!word. (as ever, never use ANY password published online, as it's potentially now in a password lookup table.)