PublicSoftTools
Security16 min read·PublicSoftTools Team·May 2026

Strong Password Guide — What Makes a Password Secure in 2026

Despite decades of password security advice, weak and reused passwords remain the leading cause of account compromises. The rules that many believe produce strong passwords — mixed case, numbers, special characters — are misunderstood. A short, complex password is weaker than a long, simple one. This guide covers what actually makes a password strong, what modern security standards recommend, and the tools that make good security practical.

Password Strength: What Actually Matters

Password typeExampleEntropyEstimated crack timeVerdict
Single dictionary word"password", "sunshine"~0–16 bitsInstantly (in any wordlist)Never use
Word + number + symbol"Password1!"~28–35 bitsSeconds to minutes (common pattern)Still weak — extremely predictable pattern
3-word passphrase"BlueDogRuns"~39 bits (3 common words)Hours to days against targeted attackMarginal — passphrase needs more entropy
4-word random passphrase (Diceware)"correct-horse-battery-staple"~51 bits (4 common words)Years with massive attack resourcesAcceptable for many purposes
6-word random passphrase (Diceware)6 random common words~77 bitsBillions of years at any feasible attack rateStrong — excellent for master passwords
16+ random characters (mixed)"k7$mPq!2xWr#nL9v"~100+ bitsAstronomically longVery strong — best for password manager generated
Repeated/varied password"Facebook1!", "Twitter1!"N/A — predictable patternSeconds after one breach exposes patternExtremely dangerous — credential stuffing risk

What Is Password Entropy?

Password entropy measures randomness — how many guesses an attacker would need to try on average to find your password. It is measured in bits: each bit doubles the search space.

Entropy (bits) = log₂(possible characters)^length = length × log₂(character set size)

Character set sizes:

A 16-character random password using full ASCII has 16 × 6.57 = ~105 bits of entropy. This is effectively uncrackable with any realistic attack — even at 10 billion guesses per second, it would take longer than the age of the universe.

NIST Password Guidelines (Current Standards)

NIST recommendationDetails
Minimum 8 characters; prefer 15+NIST SP 800-63B recommends at least 8 characters for user-chosen passwords; systems should allow up to 64+ characters.
Allow all ASCII and Unicode charactersDo NOT restrict special characters or maximum length — restrictions force weaker passwords by limiting entropy.
Do not require arbitrary complexity rulesMandatory uppercase, number, symbol requirements produce predictable patterns (Password1!) without increasing real-world security.
Do not force periodic password changesFrequent mandatory changes lead to predictable incremental changes (password1 → password2) and reduced overall strength.
Check new passwords against known-breach listsBlock passwords that appear in known data breach dumps (HaveIBeenPwned API). These are the first passwords attackers try.
Use a password managerEnables unique, long, random passwords for every site without memorisation burden. This is the single most impactful security improvement.

Why Complexity Rules Fail

Requirements like "must include uppercase, lowercase, number, and special character" are counterproductive because they are predictable: users overwhelmingly produce the same patterns — a capitalised first letter, numbers at the end, a ! or @ after the number. Security researchers (including NIST) have demonstrated that these patterns are so predictable that cracking tools specifically target them.

"Password1!" technically satisfies most complexity requirements but is one of the most commonly used passwords in breach data. The complexity rules gave users a false sense of security while providing minimal real entropy.

The 2017 NIST SP 800-63B guidelines explicitly recommended removing mandatory complexity rules for this reason.

Passphrases: The Human-Friendly Alternative

A passphrase is a sequence of random, unrelated words. The most cited example is from XKCD "Password Strength" (2011): "correct horse battery staple."

Why passphrases work:

Passphrases are most useful when you need a memorable, typeable password: laptop login, password manager master password, or encrypted disk passphrase.

Password Managers

A password manager solves the fundamental problem: you cannot remember 50+ unique, strong passwords. A password manager stores all your passwords encrypted behind one strong master password (or biometric) and can:

Popular options: Bitwarden (open-source, free tier), 1Password, Dashlane, KeePass (local-only, free, open-source). Apple Keychain and Google Password Manager are built into their respective ecosystems. Using any password manager is dramatically better than reusing passwords.

Multi-Factor Authentication (MFA)

Even a strong password provides limited protection if stolen in a data breach. Multi-factor authentication adds a second layer — something you have (phone, hardware key) or something you are (biometric) — so a stolen password alone is not enough to compromise the account.

MFA options in order of security:

Common Password Mistakes

Common Questions

How do I check if my password has been in a data breach?

Use the password strength checker which evaluates entropy and common patterns. To check breach exposure, visit HaveIBeenPwned (haveibeenpwned.com) — it uses k-anonymity (only a hash prefix is sent) so your password is never transmitted. Most modern password managers also alert you to breached passwords automatically.

Should I change passwords regularly?

Current guidance (NIST, NCSC) is to not change passwords on a fixed schedule unless there is reason to believe they have been compromised. Forced regular changes lead to predictable incremental patterns ("password1" → "password2") that weaken security. Change your password immediately if a service notifies you of a breach, if you notice suspicious activity, or if you have shared a password you should not have.

Are passkeys better than passwords?

Passkeys (FIDO2/WebAuthn) are considered the future of authentication. They use public-key cryptography — the private key never leaves your device, is bound to the specific website (phishing-resistant), and authentication is confirmed by biometric or PIN locally. Passkeys cannot be stolen in a database breach (only the public key is stored). Major platforms (Apple, Google, Microsoft) and websites (GitHub, PayPal) increasingly support passkeys as a password replacement.

Check Your Password Strength

Analyse any password for entropy, common patterns, and breach exposure — free, private, nothing is stored or transmitted.

Open Password Strength Checker