Password security guidance has evolved significantly. The old rules about requiring uppercase, lowercase, numbers, and symbols every 90 days have been replaced by evidence-based recommendations focused on length, uniqueness, and usability.
What Makes a Password Strong?
Password strength comes from entropy---the measure of randomness and unpredictability. A password with high entropy is difficult to guess or crack through brute force. Two factors primarily determine entropy:
- Length: Each additional character exponentially increases possible combinations
- Character set: Using more character types (lowercase, uppercase, numbers, symbols) increases combinations per position
A 16-character lowercase password has more entropy than an 8-character password with mixed case and symbols. Length beats complexity.
Current Best Practices
Make It Long
Modern recommendations suggest a minimum of 12-16 characters. For high-value accounts, aim for 20+ characters. Each character you add makes brute-force attacks exponentially harder.
Use Passphrases
Random word combinations create memorable yet strong passwords:
correct-horse-battery-staple
purple-mountain-coffee-wizard
autumn-bicycle-quantum-forest
Four random words provide excellent entropy while being far easier to remember than Xy7#mK9$pL2@.
Make Every Password Unique
Never reuse passwords across sites. When one service gets breached (and they do, regularly), attackers try those credentials everywhere. Unique passwords contain the blast radius of any single breach.
Use a Password Manager
No one can remember unique, strong passwords for 100+ accounts. Password managers:
- Generate random passwords
- Store them securely
- Auto-fill across devices
- Alert you to breaches and reused passwords
Your password manager's master password should be your strongest password---a long passphrase you can remember.
What to Avoid
Dictionary words alone: "password", "sunshine", or "dragon" fall instantly to dictionary attacks.
Personal information: Birthdays, pet names, addresses, and phone numbers are easily researched.
Common substitutions: "p@ssw0rd" doesn't fool modern cracking tools. They know all the tricks.
Keyboard patterns: "qwerty", "123456", and "asdfgh" are among the first guesses.
Previously breached passwords: Billions of passwords from past breaches are compiled into cracking dictionaries.
Password Complexity Requirements Are Outdated
NIST's current guidelines (SP 800-63B) recommend against:
- Mandatory complexity requirements (uppercase, number, symbol)
- Periodic password rotation
- Password hints
These policies frustrate users into creating weaker passwords. A user forced to include symbols often just adds "!" at the end. Required rotation leads to "Password1", "Password2", "Password3".
Instead, NIST recommends:
- Checking passwords against known breached password lists
- Allowing long passphrases
- Only requiring password changes after suspected compromise
Multi-Factor Authentication
Even the strongest password provides only one layer of defense. Enable MFA wherever available:
- Authenticator apps (Google Authenticator, Authy) are more secure than SMS
- Hardware keys (YubiKey, Titan) provide the strongest protection
- SMS codes are better than nothing but vulnerable to SIM swapping
MFA means that even if your password is compromised, attackers still can't access your account.
Testing Your Passwords
Use our Password Strength Checker to evaluate your passwords:
- Get an entropy score
- See estimated crack time
- Check against common patterns
- Receive specific improvement suggestions
The tool runs entirely in your browser---your passwords are never transmitted.
Quick Reference
| Password Type | Example | Strength |
|---|---|---|
| Common word | sunshine | Very Weak |
| With substitutions | 5un5h1n3 | Weak |
| Random 8-char | kX7#mP2$ | Moderate |
| Random 16-char | kX7#mP2$9Lq@nW4! | Strong |
| 4-word passphrase | correct-horse-battery-staple | Strong |
| 5-word passphrase | purple-mountain-coffee-wizard-seven | Very Strong |
Key Takeaways
- Length over complexity: 16+ characters beats 8 complex characters
- Use passphrases: Random words are memorable and strong
- Never reuse: Every account gets a unique password
- Use a password manager: Essential for managing unique passwords
- Enable MFA: Passwords alone aren't enough for important accounts
Strong passwords are your first line of defense. Make them long, make them unique, and let a password manager handle the complexity.