Every account breach reported by CERT Polska in recent years shows the same recurring factor: credentials that were either too short, reused across multiple sites or stored in plain text on the user's device. The mechanics of password attacks have not changed fundamentally, but the speed at which they execute has. A password that would have taken months to crack a decade ago can now be broken in hours on commodity hardware.
This article looks at what actually makes a password strong, how password managers work and which options are accessible to users based in Poland.
What automated attacks actually do
The two most common attack types are dictionary attacks and brute-force attacks. A dictionary attack runs through a list of known words, common phrases, leaked passwords from previous breaches and their variations — replacing 'a' with '@', adding '123' at the end and so on. A brute-force attack tries every possible character combination starting from the shortest sequences.
What determines how long either attack takes is not the content of your password in any human sense. It is the number of possible combinations. A 12-character password using only lowercase letters has 26¹² possible values. Adding uppercase letters, digits and symbols expands that to around 94¹² — roughly 475 trillion times more combinations. The attacker's hardware has to work through all of them in the worst case.
Practical threshold: Security researchers at the US National Institute of Standards and Technology (NIST) recommend passwords of at least 15 characters. At that length, even a high-end GPU cluster would need years to exhaust all combinations for a mixed-character set.
The structure of a strong password
Three factors determine password strength in practice:
Length
Length contributes more to resistance than character variety. A 20-character password using only lowercase letters is statistically harder to crack than a 10-character password using all character types. Set a minimum of 16 characters for accounts that hold financial or medical information, and at least 12 for lower-stakes accounts.
Randomness
Human-chosen passwords are predictable. People tend to use names, dates, places and words that are meaningful to them — exactly the patterns that dictionary attacks exploit first. A password generator produces sequences with no pattern and no connection to the user's personal data.
Uniqueness
Each account needs its own password. When a breach occurs at one service — and breaches at Polish e-commerce and media platforms have been documented regularly since 2020 — attackers immediately test the stolen credentials on banking, email and social media platforms. This technique, called credential stuffing, works only when passwords are reused.
What makes a passphrase different
A passphrase is a sequence of unrelated words: correct horse battery staple is the example made famous by security researcher Bruce Schneier. Four random common words produce a password that is long, memorable and statistically strong. The randomness here comes from selecting the words at random — not from choosing words that feel unrelated to you, which is not the same thing.
A dice-based method called Diceware assigns numbers to words, and rolling physical dice to select them produces genuinely random results. Several word lists are published by the Electronic Frontier Foundation specifically for this purpose.
Password managers: how they work
A password manager is software that stores all your passwords in an encrypted database, protected by a single master password. When you need to log into a site, the manager retrieves the correct credential without you having to type or remember it. Most managers also generate new random passwords at whatever length and character set you specify.
The encryption used by established managers — typically AES-256 with a key derived from your master password using a slow hashing function — means that even if the manager's servers were compromised, the attacker would receive an encrypted blob that cannot be read without your master password. This architecture is described as zero-knowledge: the provider has no access to the contents of your vault.
Bitwarden
Bitwarden is an open-source manager whose source code has been reviewed by independent auditors. The free plan covers unlimited devices and unlimited passwords, which is unusual in the market. A paid plan adds encrypted file attachments and emergency access for roughly 10 PLN per month. Bitwarden's server infrastructure is hosted in the US and EU, and the company publishes its audit results publicly.
KeePass / KeePassXC
KeePass and its cross-platform fork KeePassXC store the database locally as a file, with no cloud component. The user controls where backups go and what software touches the file. This makes it the choice for users who do not want any cloud involvement. The trade-off is manual synchronisation between devices. KeePassXC is available for Windows, macOS and Linux; a compatible app called KeePassDX runs on Android.
Built-in browser managers
Chrome, Firefox and Edge all include built-in password managers. They are convenient and generate strong passwords on request. The limitations are that they do not generate passwords independently of a browser, they are not easily transferred between browsers and their security audit trails are less transparent than dedicated tools. For users with a single browser on a single device, they are a reasonable starting point.
Two-factor authentication alongside passwords
Even a strong, unique password can be exposed in a phishing attack or a service-side breach. Two-factor authentication (2FA) adds a second check — typically a time-based one-time code generated by an app on your phone — that an attacker cannot obtain from a stolen password alone.
Authentication apps such as Google Authenticator, Aegis (Android, open-source) or Raivo (iOS) generate codes that expire after 30 seconds. Enable 2FA on email accounts first, since email is used to reset passwords on virtually every other service.
Note on SMS-based 2FA: Codes sent by SMS are better than no second factor, but SMS is vulnerable to SIM-swapping attacks. An authentication app or a hardware key provides meaningfully stronger protection.
Practical steps for users in Poland
- Check whether your email address appears in a known breach at haveibeenpwned.com. If it does, change the password on that service immediately and on any other service where the same password was used.
- Install a password manager before changing passwords. Setting up the manager first means you can generate strong unique passwords during the change process rather than using the same weak credential everywhere.
- Set a master password of at least 20 characters for the manager itself, using a Diceware passphrase method. Write the master password on paper and store it somewhere physically secure — this is the one credential that cannot be stored in the manager.
- Enable 2FA on your primary email account using an authentication app.
- Change passwords on financial, medical and government services first, then work outward to social media, shopping and other accounts.
