What constitutes a weak password

I have change most of my passwords to ones generated randomly by Bit Warden and yet they still show as weak passwords. Not all sites accept special characters and some sites limit the size to say 10 characters. So all my passwords are combinations of upper and lower case letters with numbers but still show as weak. What it the definition of a non-weak password? Also may of my sites show as duplicate passwords even after changing them to a randomly generated password. This is very frustrating,

If a site restricts your choice of password to a certain length or doesn’t accept certain types of character, then obviously for that site you need to use a password that fits those rules. For all other sites though, you should use something more secure. If you’re using Bitwarden to remember passwords for you, go for longer passwords and include special characters.

If you’ve changed ALL your passwords to something unique then your duplicate password report should be empty. Do you have any deleted passwords in your Trash that may be appearing on that report?

Passwords in general is really something you should do some research. Which are bad/good, what are the types, why some are good against one type of attack, but not against another and so on…

To keep it short, randomly generated passwords are the strongest. For them, a length of 11-12 is enough. Do not trust every password strength meter you see, because on many sites it only, for example, counts the number of characters, which is absolutely wrong.

I don’t even want to talk about the character limit. Every website with a character limit of 13-14 or less is just stupid. People are already very bad at making good passwords. Because we can’t remember random symbols, we choose as passwords names of people/places/streets/pets/etc and dates, all of which are predictable. Restricting the length just makes it worse.

I would suggest using Bitwarden’s initial settings as a starting point, though turning on all types of character including symbols.

There will be some sites where this will not fit in with their rules, but you can deal with them individually. Some banks have ridiculous password policies, I suspect partly because they assume that punters will be typing them in.

If a website does not let you use special characters or/and only allows say 10 characters then the company behind the website clearly does not have a good system going. The standard is 16 characters with lower and upper cases letters, numbers and special characters.

Personally if not for special characters I’d use upper and lower letters plus numbers and I’d go 32 characters rather than 16 characters, and if only 10 characters are allowed by the site that’s crappy.

Today is 16 characters, tomorrow is 32 characters… Plan ahead.

The key is what characters are being used. If you can use upper case, lower case, numbers and special characters, then you have around 95 characters available. A random 11 digit password made up of such is uncrackable unless someone comes up with a practical quantum computer any time soon.

The most powerful super computer, processing 1 billion brute force attempts per second, would take over 100,000 years to crack such an 11 character password. That’s good enough! Add another digit if you like, just to take it to the 10m years.