How to create a strong password

Most compromised accounts aren’t the result of a sophisticated hack — they’re the result of weak passwords reused across sites. When one site leaks credentials (and several leak every year), those credentials get tried against every major service. This guide walks through what makes a password actually strong in 2026, where password managers fit, how passkeys are changing the landscape, and the five password mistakes still costing people their accounts.

What makes a password strong — the math

Password strength is measured in entropy (bits). The higher the entropy, the longer a brute-force attack takes.

8 characters, lowercase only (26^8): ~5 hours to crack on modern GPU cluster.

8 characters, mixed case + digits + symbols (~95^8):~2 months.

12 characters, mixed case + digits + symbols:~34,000 years.

16 characters, mixed case + digits + symbols:effectively unbreakable by brute force.

Lesson: length beats complexity. 16 random characters is better than 10 complex characters with mixed case/symbols.

The 2026 password rules (NIST-aligned)

Modern guidance from NIST SP 800-63B:

Minimum 12 characters for sensitive accounts (banking, email, primary identity). 15+ for accounts protecting high-value assets.

No mandatory complexity rules. NIST explicitly removed the old “must have an uppercase, a digit, and a symbol” rule because it produced predictable patterns like “Password1!” without real entropy gains.

No mandatory periodic changes. The old “change every 90 days” rule pushed users toward tiny increments (Password1 → Password2). Now guidance is change only on compromise.

Check against breach lists. Before accepting, validate the password hasn’t appeared in known data breaches (HaveIBeenPwned API or similar).

Allow long passwords and paste. Blocking paste prevents password-manager usage, which is worse for security.

Passphrases vs passwords

A passphrase is 4-6 random words: “correct horse battery staple” (xkcd-famous example). Advantages:

Memorable. Humans remember words better than characters.

High entropy. 5 random words from a 7,776-word list (EFF wordlist) = 64 bits of entropy. Equivalent to a ~11-character random password.

Typeable on mobile. Much faster than complex symbol-heavy passwords.

Critical requirement: words must be truly random. A phrase that’s meaningful to you (“mycatsnamedwhiskers”) is weak — meaningful strings appear in cracking dictionaries.

Password manager — yes, use one

Password managers solve the fundamental impossibility of remembering 100+ unique strong passwords. Let the manager generate random 16-20 character passwords per site and store them.

Reputable options (2026): 1Password, Bitwarden (free tier is solid), Dashlane. Avoid Last Pass for now — multiple 2022-2023 incidents have dented trust.

Browser-built-in managers (Chrome, Safari, Firefox) are OK for casual use but weaker on cross-device sync, breach alerts, and sharing features.

Your master password is now the most important password you have. Make it a long passphrase, unique, never used anywhere else, never written in plaintext. The manager can’t recover it for you — if you forget, your vault is unreadable.

Two-factor / multi-factor authentication (MFA)

Even the strongest password is compromised if the site is breached. MFA requires a second factor — something you have (phone, hardware key) in addition to something you know (password).

SMS codes: better than nothing, but SIM-swapping attacks make them insecure for high-value accounts. Don’t rely on SMS for email, banking, or crypto.

TOTP apps (Authy, Google Authenticator, 1Password has built-in): 6-digit codes rotating every 30 seconds. Good baseline.

Hardware keys (YubiKey, Titan): strongest form. Phishing-resistant because the key cryptographically verifies the domain. Worth owning two (one primary, one backup) for critical accounts.

Passkeys — where things are heading

Passkeys replace passwords entirely with cryptographic key pairs stored on your device (phone, laptop, hardware key). You authenticate with biometrics; the device signs a challenge.

Advantages: unphishable (tied to domain), nothing for a breach to leak, no typing, no remembering.

Adoption in 2026: Google, Apple, Microsoft all support them. Major sites (Amazon, PayPal, GitHub, 1Password) offer passkey login. Still optional on most sites; password fallback remains.

When a site offers passkey as an option, adopt it. It’s strictly more secure and more convenient than a password.

5 password mistakes still costing people accounts

1. Password reuse. The single biggest cause of account compromise. One breached site = every account using the same password exposed via credential stuffing. Check yourself at haveibeenpwned.com.

2. Using personal info. Pets, birthdays, addresses are in your public profile and tried early in attacks.

3. Substitutions (@ for a, 3 for e). Common substitutions are baked into cracking tools. “P@ssw0rd” offers essentially zero extra protection over “password.”

4. Writing passwords in notes apps / emails / docs.Searchable, syncable, and often accessed from many devices including untrusted ones. Use a password manager.

5. Weak security questions. “Mother’s maiden name” is often public record or a social-media share. Answer security questions with random strings stored in your manager, not the truthful answer.

Password recovery plan

Lock yourself out of the password manager and you’re locked out of everything. Plan:

Backup codes for MFA, printed and stored physically (safe, safe deposit box).

Second hardware key registered on critical accounts in case the primary is lost.

Emergency access feature (1Password, Bitwarden offer this) granting a trusted person access after a delay.

Recovery kit for the password manager itself, stored offline.

Run the numbers

Generate strong random passwords with the password generator. Pair with the password breach checker to confirm your passwords haven’t appeared in known leaks, and the password strength checker to gauge entropy before adopting a password.