Strong Password Guide — What Makes a Password Secure in 2026
Despite decades of password security advice, weak and reused passwords remain the leading cause of account compromises. The rules that many believe produce strong passwords — mixed case, numbers, special characters — are misunderstood. A short, complex password is weaker than a long, simple one. This guide covers what actually makes a password strong, what modern security standards recommend, and the tools that make good security practical.
Password Strength: What Actually Matters
| Password type | Example | Entropy | Estimated crack time | Verdict |
|---|---|---|---|---|
| Single dictionary word | "password", "sunshine" | ~0–16 bits | Instantly (in any wordlist) | Never use |
| Word + number + symbol | "Password1!" | ~28–35 bits | Seconds to minutes (common pattern) | Still weak — extremely predictable pattern |
| 3-word passphrase | "BlueDogRuns" | ~39 bits (3 common words) | Hours to days against targeted attack | Marginal — passphrase needs more entropy |
| 4-word random passphrase (Diceware) | "correct-horse-battery-staple" | ~51 bits (4 common words) | Years with massive attack resources | Acceptable for many purposes |
| 6-word random passphrase (Diceware) | 6 random common words | ~77 bits | Billions of years at any feasible attack rate | Strong — excellent for master passwords |
| 16+ random characters (mixed) | "k7$mPq!2xWr#nL9v" | ~100+ bits | Astronomically long | Very strong — best for password manager generated |
| Repeated/varied password | "Facebook1!", "Twitter1!" | N/A — predictable pattern | Seconds after one breach exposes pattern | Extremely dangerous — credential stuffing risk |
What Is Password Entropy?
Password entropy measures randomness — how many guesses an attacker would need to try on average to find your password. It is measured in bits: each bit doubles the search space.
Entropy (bits) = log₂(possible characters)^length = length × log₂(character set size)
Character set sizes:
- Lowercase letters only (26): 1 character = 4.7 bits
- Lowercase + uppercase (52): 1 character = 5.7 bits
- Alphanumeric (62): 1 character = 5.95 bits
- Full ASCII printable (95): 1 character = 6.57 bits
A 16-character random password using full ASCII has 16 × 6.57 = ~105 bits of entropy. This is effectively uncrackable with any realistic attack — even at 10 billion guesses per second, it would take longer than the age of the universe.
NIST Password Guidelines (Current Standards)
| NIST recommendation | Details |
|---|---|
| Minimum 8 characters; prefer 15+ | NIST SP 800-63B recommends at least 8 characters for user-chosen passwords; systems should allow up to 64+ characters. |
| Allow all ASCII and Unicode characters | Do NOT restrict special characters or maximum length — restrictions force weaker passwords by limiting entropy. |
| Do not require arbitrary complexity rules | Mandatory uppercase, number, symbol requirements produce predictable patterns (Password1!) without increasing real-world security. |
| Do not force periodic password changes | Frequent mandatory changes lead to predictable incremental changes (password1 → password2) and reduced overall strength. |
| Check new passwords against known-breach lists | Block passwords that appear in known data breach dumps (HaveIBeenPwned API). These are the first passwords attackers try. |
| Use a password manager | Enables unique, long, random passwords for every site without memorisation burden. This is the single most impactful security improvement. |
Why Complexity Rules Fail
Requirements like "must include uppercase, lowercase, number, and special character" are counterproductive because they are predictable: users overwhelmingly produce the same patterns — a capitalised first letter, numbers at the end, a ! or @ after the number. Security researchers (including NIST) have demonstrated that these patterns are so predictable that cracking tools specifically target them.
"Password1!" technically satisfies most complexity requirements but is one of the most commonly used passwords in breach data. The complexity rules gave users a false sense of security while providing minimal real entropy.
The 2017 NIST SP 800-63B guidelines explicitly recommended removing mandatory complexity rules for this reason.
Passphrases: The Human-Friendly Alternative
A passphrase is a sequence of random, unrelated words. The most cited example is from XKCD "Password Strength" (2011): "correct horse battery staple."
Why passphrases work:
- Each word from a 2,048-word list adds ~11 bits of entropy. Four words = ~44 bits; six words = ~66 bits.
- The words must be truly random — not chosen by a human. Humans are terrible at choosing random words and unconsciously choose related or personally meaningful words, vastly reducing actual entropy.
- Diceware is the standard method: roll five dice per word, use the result to look up a word in the Diceware wordlist. Genuine dice rolls are truly random.
Passphrases are most useful when you need a memorable, typeable password: laptop login, password manager master password, or encrypted disk passphrase.
Password Managers
A password manager solves the fundamental problem: you cannot remember 50+ unique, strong passwords. A password manager stores all your passwords encrypted behind one strong master password (or biometric) and can:
- Generate unique, random, strong passwords for every site
- Auto-fill credentials, reducing phishing risk (it won't fill on a fake site)
- Alert you when a stored password appears in a data breach
- Sync across devices
Popular options: Bitwarden (open-source, free tier), 1Password, Dashlane, KeePass (local-only, free, open-source). Apple Keychain and Google Password Manager are built into their respective ecosystems. Using any password manager is dramatically better than reusing passwords.
Multi-Factor Authentication (MFA)
Even a strong password provides limited protection if stolen in a data breach. Multi-factor authentication adds a second layer — something you have (phone, hardware key) or something you are (biometric) — so a stolen password alone is not enough to compromise the account.
MFA options in order of security:
- Hardware security key (FIDO2/passkey): Most secure. Phishing-resistant. YubiKey, Google Titan Key.
- Authenticator app TOTP (6-digit codes): Very secure. Google Authenticator, Authy, Bitwarden Authenticator. Generates time-based one-time passwords.
- SMS/email codes: Less secure. Vulnerable to SIM-swap attacks (SMS) and email compromise. Better than nothing.
Common Password Mistakes
- Reusing passwords: If one site is breached, attackers try those credentials on all major services (credential stuffing). Password reuse is the #1 attack vector.
- Predictable substitutions: P@ssw0rd, S3cur1ty!, c0mputer — letter-to-symbol substitutions are in every cracking dictionary.
- Personal information: Names, dates, pets, sports teams — all are tried early in targeted attacks.
- Short passwords: Even full-ASCII 8-character passwords have ~52 bits of entropy — within range of high-end attack hardware given enough time and leaked hash algorithms.
- Writing passwords down unsecurely: A sticky note on a monitor is a physical security risk. A password manager is far safer.
Common Questions
How do I check if my password has been in a data breach?
Use the password strength checker which evaluates entropy and common patterns. To check breach exposure, visit HaveIBeenPwned (haveibeenpwned.com) — it uses k-anonymity (only a hash prefix is sent) so your password is never transmitted. Most modern password managers also alert you to breached passwords automatically.
Should I change passwords regularly?
Current guidance (NIST, NCSC) is to not change passwords on a fixed schedule unless there is reason to believe they have been compromised. Forced regular changes lead to predictable incremental patterns ("password1" → "password2") that weaken security. Change your password immediately if a service notifies you of a breach, if you notice suspicious activity, or if you have shared a password you should not have.
Are passkeys better than passwords?
Passkeys (FIDO2/WebAuthn) are considered the future of authentication. They use public-key cryptography — the private key never leaves your device, is bound to the specific website (phishing-resistant), and authentication is confirmed by biometric or PIN locally. Passkeys cannot be stolen in a database breach (only the public key is stored). Major platforms (Apple, Google, Microsoft) and websites (GitHub, PayPal) increasingly support passkeys as a password replacement.
Check Your Password Strength
Analyse any password for entropy, common patterns, and breach exposure — free, private, nothing is stored or transmitted.
Open Password Strength Checker