How to Create Strong Passwords in 2026 — Length, Rules and Best Practices

Password security advice has evolved significantly over the past five years. Rules that were standard in 2015 — mixing uppercase, lowercase, numbers, and symbols — are now understood to produce passwords that feel complex but are statistically easy to crack. Here is what the research actually says.

The single most important factor: length

A modern GPU can attempt billions of password guesses per second. A short password with complex characters is cracked faster than a long password of simple words. The maths:

• 8 characters, all character types: cracked in minutes
• 12 characters, all character types: hours to days
• 16 characters, all character types: months to centuries depending on entropy
• 20+ characters, all character types: effectively uncrackable with current technology

Use at minimum 16 characters for standard accounts. Use 20 or more for your email, bank, and password manager.

What NIST recommends in 2026

The US National Institute of Standards and Technology updated its digital identity guidelines. Key points relevant to password creation:

• Minimum 8 characters (but 15+ is better and now commonly required by modern systems)
• Check passwords against known breach databases — do not use common passwords regardless of complexity
• Length matters more than mandatory complexity rules
• Do not use password hints that could be guessed from public information
• Use a password manager — reusing passwords across sites is the most common cause of account compromise

True randomness vs human-chosen passwords

When humans choose passwords, even supposedly random-seeming ones follow predictable patterns. We substitute 0 for o, 3 for e, ! for i or at the end. Cracking software accounts for these substitutions — they provide almost no additional security.

A cryptographically random password generated by software uses a hardware random number source (window.crypto.getRandomValues in browsers) that has no patterns. A 16-character cryptographically random password is vastly stronger than a 16-character human-chosen one of the same apparent complexity.

Passphrases as an alternative

A passphrase is four to six randomly chosen words: correct horse battery staple is the famous example (from xkcd comic 936). This approach works because the length creates high entropy while being memorisable. Randomly chosen words are the key — "ilovemydog2024" is predictable; "envelope circuit mustard February" is not.

What to avoid

• Any word in any language, even with substitutions (l33t speak)
• Your name, birthday, pet name, or any personal information
• Keyboard patterns: qwerty, 123456, asdf
• The site or service name in the password
• Reusing any password across more than one account
• Passwords shorter than 12 characters (16 is the modern minimum for anything that matters)

Password managers

The practical answer to password security is a password manager. You remember one strong master password; the manager generates and remembers unique 20+ character random passwords for every site. Bitwarden (free, open source), 1Password, and Apple Keychain are well-regarded options. With a password manager, every site gets a completely unique password — the single most effective thing you can do for account security.

Two-factor authentication

Even a strong password alone is insufficient if a site suffers a data breach that exposes hashed passwords, or if you are targeted by phishing. Enable two-factor authentication (2FA) on every account that supports it — particularly email, banking, and social media. An authenticator app (Google Authenticator, Authy) is more secure than SMS-based 2FA.

Frequently asked questions