Strong Password Rules in 2026: What Actually Makes a Password Secure

What makes a password strong?

A strong password has three properties: length, randomness, and uniqueness.

Length matters more than any other single factor. A 16-character random password has approximately 80–105 bits of entropy with mixed character types. A 20-character password is exponentially harder to crack. Adding one character multiplies the attack space by the size of the character set — roughly 95x for full printable ASCII.

Randomness means unpredictability. Dictionary words, names, and dates are weak even when combined with symbols. "Summer2024!" is broken in seconds by modern hardware. A randomly generated string of 16 characters is not.

Uniqueness means a different password for every account. If you reuse passwords and one service is breached, all your accounts using that password are at risk — a technique called credential stuffing.

Current NIST guidelines (SP 800-63B, 2024)

The National Institute of Standards and Technology publishes the most widely followed password guidance. The 2024 update to Special Publication 800-63B makes several evidence-based changes that contradict the older advice many people still follow.

NIST now recommends a minimum length of 8 characters as a floor — not a target. Security professionals recommend 16 or more. NIST explicitly drops mandatory rotation: do not force regular password changes unless there is evidence of compromise. The old 90-day rotation rule led to predictable patterns like Summer2024 → Fall2024 → Winter2025.

NIST also drops complexity rules as a requirement. Long, random passwords are more secure than short, complex ones. The guidance also requires that new passwords be screened against known breached password lists and that systems allow all printable ASCII and Unicode characters including spaces.

Password entropy explained

Entropy measures password unpredictability in bits. The formula is E = log2(N^L) where N is the number of possible characters per position and L is the password length.

An 8-character password using only lowercase letters has approximately 38 bits of entropy — breakable by modern hardware in hours. A 12-character password using letters and digits has approximately 71 bits — taking years with a single GPU. A 16-character password using all printable ASCII characters has approximately 105 bits — beyond practical attack reach with current technology.

Aim for at least 80 bits of entropy for general accounts. For critical accounts like email, banking, and your password manager master password, target 100 bits or more.

How to manage strong passwords

No one can memorize a unique 16-character random password for every account. The solution is a password manager.

Bitwarden is open source, free for personal use, and cross-platform. 1Password is popular with teams and families and offers a paid subscription. Dashlane includes dark web monitoring. Apple Keychain and iCloud Keychain are built into Apple devices at no cost. Google Password Manager is built into Chrome and Android.

A password manager generates, stores, and auto-fills passwords. Your only job is to remember one strong master password for the manager itself. For that master password, use a passphrase: four or more randomly chosen words is long enough to be strong and memorable enough to actually remember.