Most password advice is stuck in 2010. "Use an uppercase letter, a number, and a symbol." That rule was always more about checking compliance boxes than keeping accounts safe. Here's what actually matters.
Entropy is the only metric that counts
Password strength comes down to one number: bits of entropy. Entropy measures how many guesses an attacker would need to try, on average, to crack your password. The formula is straightforward:
entropy = length × log₂(charset size)
A 12-character password drawn from lowercase letters (26 characters) has about 56 bits of entropy. The same 12 characters drawn from lowercase + uppercase + digits + symbols (roughly 95 printable ASCII characters) has about 79 bits. But here's the kicker: a 20-character lowercase-only password has 94 bits. Longer and easier to type.
Length scales linearly. Charset size scales logarithmically. Adding one character to your password always does more than adding one symbol to your charset. A 16-character passphrase made of random lowercase words will beat an 8-character password stuffed with !@#$ every single time.
The current threshold for "basically uncrackable by brute force" is around 80 bits. That's 80 bits against offline attacks where an adversary has stolen a hashed password database and is running billions of guesses per second on a GPU cluster. Above 100 bits, you're safe against anything foreseeable.
Why complexity rules fail
The "must include uppercase, digit, and symbol" requirement was introduced by NIST in 2004 and formally retracted in 2017. Here's what went wrong:
People satisfy the rules in predictable ways. When forced to include a capital letter, most people capitalize the first character. Forced to add a digit? They append 1 or their birth year. Forced to add a symbol? ! at the end. Attackers know these patterns intimately and try them first.
A password like Sunshine2026! technically passes every complexity rule. It has 13 characters, mixed case, a digit, and a symbol. But any competent password cracking tool will try it within the first few million guesses because it's a dictionary word with predictable mutations.
The 2017 NIST SP 800-63B revision dropped mandatory complexity rules entirely. Their updated guidance: require length (minimum 8, recommend 15+), screen against known-breached passwords, and stop forcing periodic rotation. Most of the security community agreed it was overdue.
The mistakes people still make
Using dictionary words with simple substitutions. "p@ssw0rd" was cracked in the 1990s. L33tspeak substitutions (a→@, e→3, o→0, s→$) add approximately zero entropy because every cracking tool applies these rules automatically. If you can describe the substitution pattern in a sentence, so can an attacker.
Reusing passwords across sites. This is the single biggest vulnerability for most people. When LinkedIn's password database was breached in 2012, attackers used those credentials to break into unrelated accounts — email, banking, everything. Credential stuffing attacks test stolen username/password pairs against hundreds of services automatically. One breach compromises every account sharing that password.
Using personal information. Pet names, birthdays, anniversaries, kids' names, street addresses — all of this is guessable or publicly available. Social media makes it worse. The attacker doesn't need to know your dog's name personally; they just need to scrape your Instagram.
Short passwords with high complexity. An 8-character password with the full ASCII charset has about 52 bits of entropy. Hashcat running on a modern GPU can exhaust that in hours. Compare that to a 5-word random passphrase like "crisp-walnut-harbor-gentle-plume" — easy to type, easy to remember, and clocking in around 65 bits or higher depending on the word list.
Rotating passwords on a schedule. Forced rotation leads to predictable increments: Winter2025 becomes Spring2025 becomes Summer2025. NIST now recommends against mandatory rotation. Change passwords when there's evidence of compromise, not on a calendar.
What actually works: password managers
The uncomfortable truth is that humans are bad at generating randomness. We gravitate toward patterns, familiar words, and comfortable sequences. The only reliable way to use strong, unique passwords for every account is to not remember them yourself.
A password manager generates a random password for each site, stores it encrypted, and autofills it when you log in. You remember one strong master password (or use a hardware key), and the manager handles the rest.
The major options in 2026:
- Bitwarden — open source, audited, free tier covers most needs. Self-hostable if you want full control.
- 1Password — polished UX, strong business/family plans, Watchtower feature alerts you to breaches.
- KeePassXC — fully offline, open source, no cloud sync (use your own sync tool). Good for people who don't trust cloud services.
- Apple Passwords / Google Password Manager — built into iOS/macOS and Chrome respectively. Convenient but lock you into one ecosystem.
Any of these is drastically better than reusing passwords or keeping a spreadsheet.
Your master password is the one password you actually need to make strong and memorable. A 4-5 word random passphrase works well here — something like "marble-trumpet-glacier-fox" that you can visualize and commit to memory. Don't pick words that relate to each other or form a phrase.
How to generate a password right now
Our password generator uses crypto.getRandomValues — the browser's cryptographically secure random number generator. This is the same primitive that TLS uses to generate session keys. It pulls entropy from your operating system's secure random pool (hardware interrupts, timing jitter, and other unpredictable sources).
This matters because Math.random, the default random function in JavaScript, uses a predictable algorithm called Xorshift128+. If an attacker can observe a few outputs, they can reconstruct the internal state and predict every future output. For a password generator, that would be catastrophic. We don't use Math.random anywhere near password generation.
Here's how to use the generator effectively:
-
Set the length to at least 16 characters. 20+ is better if the site allows it. There's no real downside to longer passwords when a password manager is filling them in.
-
Enable all character classes (uppercase, lowercase, digits, symbols). With a password manager, you never type these manually, so complexity is free.
-
Use the "exclude ambiguous characters" toggle if you ever need to read the password aloud or type it manually — this removes characters like
0/O,l/1/Ithat look identical in many fonts. -
Check the strength meter. It calculates entropy based on your charset and length. Aim for "Strong" (60+ bits) at minimum, "Very Strong" (80+ bits) for anything important.
-
Generate a new password for every account. Never reuse. Let the password manager remember them.
What actually works in 2026
A strong password in 2026 is a long, random string generated by a cryptographically secure source and stored in a password manager. That's it. No clever mnemonics, no meaningful substitutions, no patterns you can remember. Let a machine generate it, let a machine remember it, and put your mental energy toward the one master password that protects the vault.
The math hasn't changed: entropy wins. Make it long, make it random, make it unique.