How Hackers Create Secure Passwords
In this chapter, we will share several secrets that will help make your password significantly more secure against brute force attacks, password snooping, forensic analysis, and unauthorized physical access to your devices.
Secret 1. Using Special Characters to Protect Against Password Guessing
This section focuses on additional protection for your password against brute force attacks by adding special characters. When we talk about special characters, we usually mean keyboard symbols like &^%$#@)_|/, but there are many more — including non-printable characters that only appear in extended Unicode tables.
Most password cracking programs only use standard special characters, making them powerless against passwords containing rare codepoints. We recommend the zero-width character — it's practically invisible to the human eye, yet most systems are sensitive to it.
How zero-width characters work
The zero-width character (U+200B) doesn't render in any visible width, but the underlying byte is still part of the password. An attacker reading your screen sees one combination, while the actual stored password is something different.
Where to grab them
Use symbl.cc or your OS character map. Save them in a password manager — pasting from a manager is the safest delivery method.
Secret 2. Combining Languages and Layouts
Mixing characters from multiple alphabets dramatically expands the keyspace any cracker has to traverse. Cyrillic letters that look identical to Latin (а vs a, о vs o) blow up the search space by an order of magnitude.
The downside is operator error: typing the password on a keyboard set to a different layout will fail. Pair this technique with a password manager so you never have to type by hand.
Secret 3. Length Beats Complexity
A 20-character random alphanumeric string is harder to crack than an 8-character string with every special character ever invented. Modern cracking rigs do tens of billions of MD5 hashes per second; 8-character passwords fall in days regardless of complexity.
Passphrase pattern
Pick four random words you'd never naturally string together: copper-violin-thermal-petunia. Even with a 30,000-word vocabulary, that's ~10^18 combinations — past the reach of consumer cracking. Long, memorable, and resilient.
Secret 4. Don't Reuse Passwords
One leaked credential cascades through every account that shares it. Credential-stuffing attacks try every leaked combination against every popular service within hours of a breach landing in the trade.
Use a password manager (KeePassXC, 1Password, Bitwarden) and let it generate a unique high-entropy string for every site.
Secret 5. Two-Factor Authentication Is Not Optional
Even with a perfect password, if the service gets breached and dumps password hashes, attackers have time to crack them offline. 2FA breaks that chain.
Prefer hardware keys (YubiKey, SoloKey) > authenticator apps (Aegis, Authy) > SMS. SMS is the last resort because of SIM-swapping risk.
Wrapping Up
Strong password hygiene is layered defence: long passphrases, unique per site, special characters where they help, 2FA on every important account.