What makes a strong password in 2026? The actual answer from a password researcher

title: "What makes a strong password in 2026? The actual answer from a password researcher" slug: "strong-password-guide" date: "2026-04-20" excerpt: "NIST updated its password guidance. Here's what it means for you, why length beats complexity, and how passphrases give you security that's actually memorable." readingTime: "10 min read"

For two decades, the conventional wisdom on passwords was wrong. "At least 8 characters including uppercase, lowercase, a number, and a symbol" produced passwords like Tr0ub4dor&3 — hard to remember, moderately easy to crack with a modern GPU, and nearly impossible to type on a phone without mistakes.

In 2024, NIST published a significant revision to its password guidance. Here is what changed, why it matters, and what you should actually do.

What NIST actually says about passwords in 2024

NIST Special Publication 800-63B, the US government's digital identity guidelines, is updated periodically. The 2024 revision made these changes:

Dropped mandatory complexity rules. NIST no longer recommends requiring uppercase letters, numbers, or symbols as mandatory components. These rules push users toward predictable substitutions (the letter O becomes 0, the letter A becomes @) that crackers exploit. A requirement for "at least 1 uppercase" does not increase security; it narrows the space of likely password patterns, which can actually help an attacker.

Prioritised length. The minimum recommended length is 8 characters for user-chosen passwords, but NIST explicitly recommends allowing and encouraging much longer passwords — up to 64 characters. The guidance specifically encourages passphrases (word sequences) as a good way to achieve length with memorability.

Deprecated periodic rotation. Requiring users to change passwords every 90 days — a policy that was nearly universal in corporate environments — is no longer recommended. Users who are forced to change passwords predictably increment them (Password1! → Password2!) or cycle through a small set of remembered passwords. NIST now recommends only requiring a change if there is evidence the password has been compromised.

Recommended breach checking. Passwords should be checked against databases of known compromised passwords (from past data breaches). Services like Have I Been Pwned provide this programmatically. A password that appears in known breach databases should be rejected regardless of how long or complex it is.

Why length beats complexity

The security of a password is measured in bits of entropy — how many possible values exist for a password of this type and length.

For a random 8-character password using uppercase, lowercase, digits, and 32 common symbols (95 printable ASCII characters): 95^8 ≈ 6.6 × 10^15 possible passwords ≈ 52 bits of entropy.

For a random 16-character lowercase-only password: 26^16 ≈ 4.4 × 10^22 possible passwords ≈ 75 bits of entropy.

The 16-character lowercase password is more secure than the 8-character mixed-case-plus-symbols password, despite seeming simpler. It has more than 6 million times as many possible values.

For a 4-word passphrase from a 7,776-word Diceware list: 7776^4 ≈ 3.6 × 10^15 possible passphrases ≈ 52 bits of entropy. Add a 5th word: 7776^5 ≈ 2.8 × 10^19 ≈ 64 bits.

The conclusion: at equivalent length, complexity helps. But adding length is almost always more effective than adding complexity requirements.

Passphrases: the best of both worlds

A passphrase is a sequence of random words: Correct-Horse-Battery-Staple, Tiger-Algebra-Crisp-Nova-Railway, blanket-torch-obvious-spanner. The concept was popularised by Randall Munroe's XKCD comic 936 (2011), which showed mathematically that a 4-word random passphrase is more secure than a typical 8-character complex password — and vastly easier to remember.

The key word is random. "My dog loves walks" is not a secure passphrase because it is predictable. A secure passphrase must be drawn from a large wordlist using a random process.

Diceware is the traditional method: use physical dice to roll random indices into a wordlist of 7,776 words (6^5 = 7,776). Each word roll produces one die-based word choice; do it 4–5 times. The Electronic Frontier Foundation publishes a free Diceware wordlist.

OffCloud.tools Password Generator implements this electronically: select Passphrase mode, choose word count and separator, and click Generate. The tool uses crypto.getRandomValues to draw random indices into the EFF wordlist — equivalent to dice-based Diceware but faster.

Use passphrases for:

• Your password manager master password (the one you must remember)
• Device login password (you type this manually, sometimes under pressure)
• Any account where you need to type the password from memory

Use a random password (all character types, 20+ characters) for everything else — let your password manager store and fill it.

What makes a password weak

Dictionary words, even with substitutions. p@ssw0rd, tr0ub4d0r, S3cur!ty2024 — all of these are in modern cracking wordlists. Attackers use rule-based mutation (replace 'a' with '@', 'o' with '0', append common years) and can try billions of mutated dictionary words per second with modern hardware.

Personal information. Birthdays, pet names, street names, children's names — all are predictable. Attackers who know anything about a target try these first.

Reuse across accounts. A password that is strong in isolation becomes weak if you use it everywhere. When any one site is breached (and sites are breached regularly), credential stuffing attacks try the leaked username/password combination on every other major service automatically.

Password patterns. Corporate password rotation policies produce predictable patterns: Winter2024!, Spring2024!, Summer2024!. Attackers know these patterns.

The practical approach: a password manager and one strong master password

You do not need to memorise dozens of strong passwords. You need to memorise one: the master password for your password manager.

Everything else — the 40 or 200 accounts you have — gets a unique, randomly generated 20-character password stored in the manager. You never type these passwords; the manager fills them. They cannot be guessed because you never knew them, and they are not reused because the manager generates a new one for every account.

For the master password, use a 5-word passphrase. Write it down and store it somewhere secure (not on your desk; perhaps in a locked drawer or safe). Memorise it through regular use over the first week — you will type it daily.

Good password managers:

• Bitwarden — open source, free tier includes everything most users need, cross-platform, self-hostable.
• 1Password — polished interface, family plans, strong security track record, paid.

How to generate a secure password with OffCloud.tools

1. Navigate to OffCloud.tools Password Generator.
2. For a random password: choose Random mode, set length to 20+ characters, include all character types. Click Generate.
3. For a passphrase: choose Passphrase mode, set 5 words, choose a separator (hyphen, space, or none), optionally capitalise first letters. Click Generate.
4. Review the strength meter. A 20-character random password and a 5-word passphrase should both show Very strong.
5. Copy to clipboard and paste directly into your password manager or into the password field.

The generator runs entirely in your browser. The password is not transmitted to any server.

External resources

• NIST SP 800-63B — Digital Identity Guidelines — The source document for everything in the "What NIST says" section above.
• Have I Been Pwned — Check if your email address has appeared in known data breaches. Run by Troy Hunt, a respected security researcher.
• EFF Diceware wordlist — The 7,776-word list used for physical Diceware passphrase generation.