How to Create a Strong Password: Security Guide for 2026
Quick Answer
- *A strong password is long, random, and unique — 12+ characters using upper, lower, numbers, and symbols.
- *NIST no longer recommends forced rotation. Change passwords only when compromised, not on a schedule.
- *A 4-word random passphrase beats a complex 8-character password on both memorability and entropy.
- *Use a password manager and enable two-factor authentication on every account that supports it.
The State of Password Security in 2026
The most common password globally in 2024 was still “123456” — crackable in under one second, according to the NordPass 2024 Most Common Passwords report. It has held that spot, or close to it, for nearly a decade. Meanwhile, Verizon’s 2024 Data Breach Investigations Report found that 81% of hacking-related breaches involve stolen or weak passwords.
Password security is not a niche technical concern. It is the most common point of failure in account security, and most of the risk comes from two behaviors: using predictable passwords and reusing the same password across multiple sites. According to a 2024 Google/Harris poll, 52% of people reuse the same password for multiple accounts, and 13% use the same password for everything.
When a site you use gets breached, attackers take the leaked credentials and try them on every major service — Gmail, banks, Amazon, social media. This is called credential stuffing. If you reused that password, every account using it is now compromised. One breach cascades into many.
What Makes a Password Strong
Three factors determine password strength: length, randomness, and character variety. Of these, length matters most.
Lengthis the primary driver of strength because it expands the search space exponentially. Each additional character multiplies the number of possible combinations by the size of the character set. A 16-character password from a pool of 94 printable ASCII characters has 94^16 possible combinations — a number with 31 digits.
Randomnessmeans the password was generated without human influence. Humans are terrible at randomness. We gravitate toward words, names, dates, keyboard patterns, and predictable substitutions (“@” for “a”, “3” for “e”). Attackers know this and run dictionary attacks that account for these patterns before brute-forcing character by character.
Character variety expands the pool of possible characters per position. A password using only lowercase letters has 26 options per character. Add uppercase, numbers, and symbols and you get 94. That difference is significant at every length.
Password Entropy: The Math Behind Strength
Entropy measures password strength in bits. Each bit doubles the number of guesses required to crack the password. The formula is:
Entropy (bits) = log2(character set size) × password length
For example, a 12-character password using upper, lower, numbers, and symbols (94 characters total): log2(94) × 12 ≈ 73 bits. At modern GPU cracking speeds, a 73-bit password would take billions of years to brute-force.
| Password Type | Example | Entropy | Time to Crack |
|---|---|---|---|
| 6 chars, lowercase | “hello” | 28 bits | <1 second |
| 8 chars, lower+upper | “PaSsWord” | 46 bits | Minutes |
| 10 chars, complex | “P@ssw0rd!” | 53 bits | Hours |
| 12 chars, random | “kX7$mNqP2&rL” | 73 bits | Centuries |
| 16 chars, random | (generated) | 98 bits | Trillions of years |
| 4-word passphrase | “correct-horse-battery-staple” | 44 bits | Years |
Notice that “P@ssw0rd!” — the kind of password many sites accept as “strong” — has only 53 bits of entropy. That is crackable in hours with a modern GPU and a good dictionary. True randomness at 12+ characters is what makes the difference.
NIST Password Guidelines: What Actually Changed
NIST Special Publication 800-63B, first published in 2017 and updated in 2023, represents the most significant shift in official password guidance in decades. Several recommendations reversed long-standing conventional wisdom.
Length over complexity. NIST now recommends prioritizing password length over complexity rules. A long, memorable passphrase is better than a short, character-mangled password. The minimum recommended length is 8 characters, but 15+ is better.
No forced rotation.NIST explicitly advises against requiring users to change passwords on a fixed schedule. Forced rotation leads to predictable, incremental changes (“Password1” becomes “Password2”) that weaken security. Change passwords only when there is evidence of compromise.
No complexity theater.Requirements like “must include one uppercase, one number, one symbol” do not significantly increase security and cause users to make passwords less random, not more. NIST advises against these composition rules.
Check against known breaches. NIST recommends that services screen new passwords against lists of commonly used or previously breached passwords. A technically complex password that appears in a breach database is useless.
Common Password Mistakes
Using Predictable Patterns
The most cracked passwords follow a handful of patterns: dictionary words, names + birth years (John1985), keyboard walks (qwerty, 123456), and leet speak substitutions (p@ssw0rd). Attackers run these patterns first because they work. A password that feels clever — adding “!” at the end, capitalizing the first letter — provides almost no additional security against modern cracking tools.
Password Reuse
Reusing passwords turns every breach into a multi-account compromise. There have been billions of credentials exposed in breaches in the last decade. Services like Have I Been Pwned maintain databases of over 12 billion breached passwords. If you reuse passwords, it is only a matter of time before one of those breaches affects you.
Short Passwords
An 8-character password that was “strong” in 2010 is not strong in 2026. GPU cracking hardware has improved by several orders of magnitude. NIST’s minimum of 8 characters is a floor, not a goal. Aim for 12 to 16 for most accounts and 20+ for critical ones.
Incremental Changes
When forced to change passwords, most users simply increment a number or add a character at the end. Attackers know this. When a breached password is available, tools automatically generate likely variations. If “Password1” is in the database, “Password2” gets checked first.
Passphrase vs. Password
A passphrase is a sequence of random words used as a password. The concept was popularized by the XKCD comic “Password Strength,” which demonstrated that “correct horse battery staple” — four random common words — has more entropy than a typical complex short password and is far easier to remember.
The key word is random. “ILovePizza” is not a passphrase in this sense — it is a predictable phrase a human chose, which means it falls to dictionary and phrase-based attacks. A genuinely random passphrase uses words selected independently, ideally with dice (diceware) or a generator.
A 4-word diceware passphrase drawn from a 7,776-word list has about 44 bits of entropy. A 6-word passphrase exceeds 77 bits — stronger than most 12-character complex passwords and far more memorable. For accounts you need to type regularly without a password manager, a long random passphrase is often the better choice.
Where passphrases fall short: they are longer to type, some sites impose character limits that make them impractical, and they do not help with the reuse problem unless each passphrase is unique per site.
Password Managers: The Practical Solution
The only scalable solution to the password problem is a password manager. You use one strong master password to unlock a vault that generates and stores unique, random passwords for every site you use. You never know what your Amazon password is. You do not need to.
Password managers are recommended by NIST, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Cyber Security Centre (NCSC). The concern — “what if the password manager gets hacked?” — is real but overstated. Reputable managers store passwords in an encrypted vault that requires your master password to decrypt. Even if the company is breached, attackers get encrypted data they cannot read without your master key.
Widely used, well-audited options include Bitwarden (open source, free tier available), 1Password, and Dashlane. Choose one that supports all your devices, uses end-to-end encryption, and has undergone independent security audits.
Two-Factor Authentication
Two-factor authentication (2FA) adds a second layer of verification beyond your password. Even if an attacker steals your password, they cannot log in without the second factor. It is the single most effective thing you can do to protect your accounts.
The strongest forms of 2FA, in order: hardware security keys (YubiKey, Google Titan), authenticator apps (Google Authenticator, Authy, the built-in authenticators in 1Password and Bitwarden), and SMS codes. SMS is the weakest because it is vulnerable to SIM swapping, but it is still far better than no 2FA at all.
Enable 2FA first on your email account (everything else can be reset through email), then banking, then any account used for single sign-on. Most major services now support it. There is no good reason not to.
Ready to generate a strong password?
Use our free Password Generator →Frequently Asked Questions
What makes a password strong?
A strong password has three properties: length (12+ characters), randomness (not based on words, names, or patterns), and character variety (uppercase, lowercase, numbers, and symbols). Length matters most. A 16-character random password is exponentially harder to crack than an 8-character complex one, even if the shorter password has more symbol substitutions.
How long should a password be?
NIST Special Publication 800-63B recommends a minimum of 8 characters, but security researchers broadly recommend 12 to 16 characters for personal accounts and 20+ for high-value accounts like email or banking. A 12-character random password has approximately 73 bits of entropy — making brute-force attacks computationally infeasible with current hardware.
Should I use a passphrase instead of a password?
It depends on the situation. A 4-word random passphrase like “correct-horse-battery-staple” has roughly 44 bits of entropy — stronger than most short complex passwords and far easier to remember. A 6-word passphrase exceeds 77 bits. The key word is “random”: passphrases assembled from truly random words (using dice or a generator) are strong. Meaningful phrases like “ILovePizzaIn2024” are not.
How often should I change my password?
NIST’s updated guidance explicitly advises against forced periodic password rotation unless there is evidence of compromise. Changing passwords on a fixed schedule — every 90 days, for example — typically leads users to make predictable, incremental changes that weaken security rather than improve it. Change your password when you have a reason: a breach notification, suspected compromise, or shared access that needs to be revoked.
Is it safe to use a password manager?
Yes. Password managers are recommended by NIST, CISA, and virtually every major security organization. They let you use a unique, random password for every account without memorizing them. The risk of your password manager being compromised is far lower than the risk of reusing passwords across sites — and reuse is the primary attack vector in credential-stuffing attacks.
What is two-factor authentication and should I use it?
Two-factor authentication (2FA) requires a second proof of identity in addition to your password — typically a time-based code from an authenticator app, a hardware key, or an SMS message. Even if your password is stolen, an attacker cannot access your account without the second factor. Enable 2FA on every account that offers it, prioritizing email, banking, and any account used for single sign-on.