How to Choose a Strong Password in 2026 — A Practical Guide

Password advice on the internet has been wrong in slightly different ways for thirty years. The infamous "eight characters with one uppercase, one number, and one symbol" rule was an accident — it came from a 2003 NIST guideline whose author later said publicly that he regretted writing it. The 2017 update reversed it. In 2026, what works is almost the opposite of what websites still nag you to do.

This guide explains what actually makes a password strong, why traditional advice was wrong, and how to set yourself up so the answer to "what's a good password?" becomes "I don't know, my password manager generated it."

The only thing that matters: entropy

Password strength is measured in entropy, expressed in bits. One bit of entropy is one yes/no decision an attacker has to make. A password with 60 bits of entropy means an attacker has to make 2^60 guesses on average to find it — about a quintillion attempts.

Entropy depends on two things: how many possible characters you draw from, and how long the password is. Length matters more than complexity, and the relationship is exponential. Doubling the length doubles the bits of entropy. Adding one character class (e.g., adding numbers to a previously alphabetical password) adds a few bits, but lengthening the password by a few characters adds many more.

Concrete numbers, assuming truly random selection from the character set:

• 8 characters, lowercase only: ~38 bits. Crackable by a dedicated attacker in hours.
• 8 characters, mixed case + digits + symbols: ~52 bits. Crackable in days to weeks.
• 16 characters, lowercase only: ~75 bits. Currently safe.
• 16 characters, mixed case + digits + symbols: ~104 bits. Solidly safe.
• 5-word passphrase from a 7,776-word list: ~64 bits. Safe and memorable.
• 7-word passphrase: ~90 bits. Comfortable margin.

The key word is "truly random." A 16-character password you invented yourself is almost certainly not 75 bits — it is much weaker, because human-chosen passwords cluster around predictable patterns.

Why human-chosen passwords are weak

When humans choose passwords, we draw from a remarkably small effective alphabet. Studies of leaked password databases show that the most common "strong-looking" passwords cluster around a few patterns: a base word with leetspeak substitutions (P@ssw0rd), a name and a year (Sarah1995), a base word with an exclamation mark (Welcome1!). Cracking tools enumerate these patterns first, and they hit a high success rate fast.

The mathematical entropy of P@ssw0rd looks fine if you compute it as "random selection from 70+ characters across 8 positions," about 49 bits. But the actual entropy from an attacker's perspective is more like 12 bits — a dictionary-attack tool tries the obvious leetspeak variants of common words first, and P@ssw0rd is in the first thousand attempts.

This is the deepest problem with password rules: they push humans toward predictable patterns. Forcing a digit makes everyone add a digit at the end. Forcing a symbol makes everyone use ! at the end. The rules increase the apparent character set without meaningfully increasing the search space the attacker actually explores.

The two strategies that actually work

1. Generated passwords + password manager

Use a password manager to generate and store unique random passwords for every site. Each password is 20+ characters, drawn from the full printable-ASCII range. You don't memorise them; you don't even see them. The password manager fills them in. Your only memorised secret is the master password for the manager itself.

This is the right strategy for almost everyone in 2026. The password manager handles the "unique per site" requirement (which is essential — credential stuffing from leaked databases is the most common attack today). It handles the "truly random" requirement. It handles the "long enough" requirement. The user's job becomes: protect the master password and the device the manager runs on.

2. Diceware passphrases

For the few passwords you actually need to memorise (your password manager's master password, your laptop's login, your phone's unlock), use diceware. Pick five to seven random words from a curated list of about 7,776 words. correct horse battery staple is the famous example, though the original concept goes back to 1995.

A 6-word diceware passphrase has about 77 bits of entropy. It's as strong as a 12-character mixed-character password and dramatically easier to remember. The cost is that it's longer to type, which is why it's the right choice for the password-manager master password (typed maybe once a day) and the wrong choice for individual website passwords (which the manager fills in).

The critical detail: the words must be picked randomly. Choosing words that "feel random" produces patterns. Use a generator (or actual dice if you're paranoid) to pick from the wordlist.

What the rules should actually be

NIST's 2017 SP 800-63B (still current with minor updates) flipped the old rules:

• Allow passwords up to at least 64 characters. Don't cap them shorter than that.
• Allow all printable ASCII characters, including spaces.
• Don't force composition rules (uppercase, digits, symbols). They make passwords weaker by pushing toward predictable patterns.
• Don't force periodic password changes. They cause users to rotate through small variations of the same password.
• Do reject passwords that appear in known breach databases. (Have-I-Been-Pwned's API is the standard service for this.)
• Do reject obvious dictionary words and patterns.

Sites that still enforce 1990s composition rules are doing security theatre. Many haven't updated because changing the rule annoys existing users.

Where rotating passwords still makes sense

Two cases: when there's reason to suspect the password has been compromised (a known breach, a phishing scare, a lost device), and for shared accounts where someone might leave the team. For everything else, frequent rotation harms security more than it helps.

Two-factor authentication

Even a strong password can be phished or leaked. Two-factor authentication (2FA) is the second line of defence. Hierarchy of options, best to worst:

1. Hardware keys (FIDO2/WebAuthn): a YubiKey or equivalent. Phishing-resistant by design — the key only releases its credential to the exact domain it was registered with. The right choice for high-value accounts.
2. Passkeys: the device-bound or synced version of WebAuthn, supported on Apple, Google, and Microsoft platforms. Same phishing resistance, no extra hardware.
3. Authenticator apps (TOTP): Google Authenticator, Authy, 1Password's built-in, Aegis. Generates a 6-digit code that changes every 30 seconds. Phishable (attacker proxies the code in real-time) but blocks bulk attacks effectively.
4. SMS codes: SIM swaps make this unreliable. Better than nothing, worse than the others. Avoid for high-value accounts.

The credential-stuffing problem

The single largest source of compromised accounts in 2026 is not weak passwords at the target site. It's strong passwords reused across sites, where one of those sites had a breach and the leaked credentials are now being tried everywhere else. This is why password reuse is the actual security issue — it converts every site's breach into a breach of every other site you used the same password on.

A password manager solves this completely if you let it: every site gets a unique password, leaks of one site don't affect any other.

Common mistakes to avoid

• Reusing the same password (or a small variation) across sites.
• Storing passwords in browser autofill without a master password (some browsers do this poorly).
• Using personal information (birthdate, pet name, hometown) as part of the password — all easily found on social media.
• Trusting "security questions" (mother's maiden name etc) — most are public records. Treat them as additional passwords; generate random answers and store them.
• Sending passwords over chat or email. Use a password manager's sharing feature, or a one-time-use service.

Tooling

For generating one-off passwords, Toolkiya's password generator runs in your browser using crypto.getRandomValues — the same secure random source the major password managers use. The generated password is never sent to any server. For everyday use, though, the right answer is to install a password manager (1Password, Bitwarden, KeePassXC) and let it generate, store, and fill passwords automatically.

Closing thought

The strong-password-of-2026 problem is mostly solved. Use a password manager. Use strong, unique passwords for every site. Use diceware for the master password. Enable hardware-key or passkey 2FA on important accounts. The remaining work is just being patient with the few sites still enforcing rules from 2003.