What Actually Makes a Password Strong?
Forget everything you learned from those old "use uppercase, lowercase, number, symbol" rules. Password length is far more important than complexity, and the latest NIST guidelines (SP 800-63B, updated 2024) have fundamentally changed best practices.
The Updated NIST Password Guidelines (2024)
NIST (the US National Institute of Standards and Technology) updated its digital identity guidelines significantly. Key changes:
- Minimum 15 characters for memorised passwords (was 8)
- No mandatory complexity rules stop forcing symbols/numbers if users don't want to
- No mandatory periodic rotation, don't force password changes every 90 days unless there's evidence of compromise
- Check against breached password lists, reject passwords known to be in data breaches
- Allow copy-paste, don't block password manager paste
- Support long passwords that allow up to at least 64 characters
Password Strength: The Real Metrics
Entropy Is What Matters
Password strength is measured in bits of entropy, the number of possible combinations an attacker must try. More entropy = exponentially longer to crack.
| Password type | Example | Entropy | Crack time* |
|---|---|---|---|
| 6-char lowercase | qwerty | 28 bits | <1 second |
| 8-char mixed | P@ssw0rd | 52 bits | Minutes |
| 12-char random | xK9#mPqL2vNr | 79 bits | Months |
| 4-word passphrase | correct horse battery staple | 44 bits | Days |
| 16-char random | Kx7$mP2qNvLrWj4& | 105 bits | Billions of years |
| Password manager generated | xT9@kLmP3qNvWj7&RsBcYe | 140+ bits | Heat death of the universe |
*Assuming 10 billion guesses per second (current GPU speeds)
Length Beats Complexity
A 20-character lowercase password has more entropy than an 8-character password using all character types. Here's why: adding one character multiplies the search space by 26 (or 62 for alphanumeric, or 95 for all printable ASCII). Length compounds exponentially.
Passphrases: An Alternative Worth Considering
A passphrase is a sequence of random common words: "umbrella forest delta cookie". It's:
- Easier to remember than random characters
- Long enough to be strong (25+ characters, ~50+ bits of entropy with 4 words)
- Easy to type on mobile
The catch: must be truly random words (not a phrase that means something to you). Use a tool like Diceware to generate genuine random passphrases. You can check passphrase strength with our Password Strength Checker.
The Golden Rules
- Use a password manager. 1Password, Bitwarden, or KeePass. Let it generate and remember all passwords.
- Every account gets a unique password. Password reuse is the single biggest vulnerability pattern.
- Minimum 15 characters for generated passwords; aim for 20+.
- Enable 2FA on every account that supports it. A stolen password is useless if 2FA blocks access.
- Never use personal information, birthdays, names, pet names, or favourite teams. All of this is on social media.
- Never reuse your email password. Your email is the master key; it resets everything else.
Passwords You Should Never Use
Attackers use "dictionary attacks", trying millions of common passwords before random ones. Avoid anything that appears in breach databases:
- Any word from a dictionary in any language
- Names + numbers (John1990, Sarah2024)
- Keyboard patterns (qwerty, 123456, asdfgh)
- Common substitutions (p@ssw0rd, H3llo)
- Anything in the HaveIBeenPwned password database (600 million entries)
How to Generate a Strong Password Right Now
Our free Password Generator creates cryptographically random passwords using crypto.getRandomValues() the same API browsers use for security-critical operations. Choose your length and character set, then use the result in your password manager.
After generating, check its strength with our Password Strength Checker it analyses entropy and estimates crack time without sending your password to any server.
Frequently Asked Questions
Should I change my password regularly?
No, unless you have reason to believe it's been compromised. The old "change every 90 days" rule is explicitly rejected by current NIST guidelines. Regular forced changes lead users to make predictable modifications (Password1 → Password2) that are easily guessed.
Is it safe to let my browser save passwords?
Better than reusing weak passwords, much worse than a dedicated password manager. Browser password stores vary in quality and sync security. For anything sensitive (banking, email), use a dedicated password manager with a strong master password and 2FA.
How long should a password be?
For randomly generated passwords: 16+ characters is excellent. For passphrases: 4+ random words. For your master password manager password: 20+ characters or a strong passphrase (since you need to memorise it and it protects everything).
What's the best free password manager?
Bitwarden is open source, fully audited, the free tier covers most needs, available on all platforms. KeePassXC is a strong open-source offline alternative if you don't want cloud sync.
Can a password manager be hacked?
Yes, LastPass experienced a significant breach in 2022. However, a good password manager stores your vault encrypted with your master password using strong key derivation (Argon2, PBKDF2). A breach of the server doesn't immediately expose your passwords. The risks of using a password manager are still much lower than the risks of reusing simple passwords.
