Security · Reference
Password Security: Modern Best Practices
The advice you were given a decade ago — frequent rotation, mandatory symbols, "P@ssw0rd!" patterns — is now considered actively harmful. This guide covers the 2026 consensus from NIST SP 800-63B, the UK NCSC, and the major identity providers, and gives you the math behind why length beats complexity.
The four rules that actually matter
- Length over complexity. 16+ random characters everywhere it matters. Forget the mix-of-character rules.
- Unique per site. Credential-stuffing attacks weaponise every reused password. A manager makes this effortless.
- Add a second factor. Passkey > hardware key > TOTP app > SMS > nothing.
- Don't rotate without cause. Change only after a breach, leaked-password match, or known compromise.
How long until your password gets cracked?
The numbers below assume an offline attack against a salted bcrypt or argon2 hash on consumer GPUs at 2026 prices (roughly 10¹¹ guesses/second for fast hashes, much slower for memory-hard ones — this table uses fast-hash estimates as a worst case). "Random" means generated by a password manager, with no dictionary words.
| Length | Lowercase only | Mixed case | Mixed + digits + symbols | Random (manager-generated) |
|---|---|---|---|---|
| 8 | instant | instant | 5 minutes | 8 hours |
| 10 | instant | 1 hour | 3 weeks | 5 years |
| 12 | 3 hours | 1 month | 200 years | 34,000 years |
| 14 | 3 weeks | 100 years | 1.5 million years | 200 billion years |
| 16 | 100 years | 800,000 years | 12 billion years | >10²³ years |
| 20 | millions of years | 10¹² years | 10¹⁷ years | >10³⁰ years |
The entropy math, in one paragraph
A password's strength is measured in bits of entropy: log₂(charset_size ^ length). Lowercase only (26 chars) at length 12 gives ~56 bits; the full printable ASCII set (95 chars) at length 12 gives ~79 bits. Each additional character of the same charset adds the same bits — that's why doubling length is exponentially stronger than doubling the charset. 80 bits of entropy is the modern minimum for high-value accounts; 128 bits is comfortable for anything.
2FA, ranked
- Passkeys (WebAuthn). Phishing-resistant, no shared secret. Use everywhere supported (Google, Apple, Microsoft, GitHub).
- Hardware security keys (FIDO2 / U2F). YubiKey, Google Titan. Phishing-resistant, requires physical key.
- TOTP apps. Authy, 1Password, Aegis. Strong, but phishable on lookalike sites.
- Push-based 2FA. Duo, Microsoft Authenticator push. Watch for "MFA fatigue" attacks.
- SMS / email codes. Better than nothing; vulnerable to SIM-swap and inbox compromise.
Password managers: how to pick one
- 1Password. Polished UX, family plans, Travel Mode. Paid only.
- Bitwarden. Open source, generous free tier, self-hostable. Best free option.
- Proton Pass. Integrated with Proton Mail; built-in alias generation.
- Browser-built-in (Chrome, Safari, Firefox). Free, syncs across your devices in that ecosystem; weaker for cross-platform use.
What still trips people up
- Reusing the main password between your email and your password manager. The manager's master password and your email password must be different and both unique.
- Storing backup codes in the same vault as the account they protect. Print them or store in a separate manager.
- SMS 2FA on your primary email. A SIM-swap on your phone number unlocks every "forgot password" link.
Tools on Toolzer
- Password Generator — generates cryptographically random passwords at any length and charset, fully in the browser.
- Hash Generator — see what your password looks like through MD5, SHA-1, SHA-256, and bcrypt.
- UUID Generator — useful for generating opaque API tokens and recovery codes.
Frequently asked questions
How long should a password be in 2026?+
At least 16 characters for high-value accounts (email, banking, password manager) and 12 characters as an absolute minimum elsewhere. Length matters far more than complexity — a 20-character random string is dramatically stronger than a 10-character 'P@ssw0rd!' style one.
Are complex character requirements still recommended?+
No. NIST SP 800-63B explicitly removed mandatory mix-of-character rules in 2017 and confirmed the change in the 2024 revision. Forcing symbols and digits pushes users toward predictable patterns ('Password1!'). Length plus randomness wins; symbol requirements waste entropy.
Do I need to change my password every 90 days?+
No. Periodic forced rotation is now considered counterproductive — users pick weaker passwords because they know they'll have to change them. Only rotate when there is evidence of compromise. NIST, the UK NCSC, and Microsoft all aligned on this since 2019.
Are passkeys really better than passwords?+
Yes, where supported. Passkeys are phishing-resistant by design — the private key never leaves your device and is bound to the website's origin. Use passkeys whenever a site offers them; keep a strong password as the backup factor.
Is SMS 2FA worse than nothing?+
No — SMS 2FA still blocks the vast majority of credential-stuffing attacks. But SIM-swap attacks make it weak for targeted users (crypto, journalists, executives). Prefer a TOTP app, a hardware key (YubiKey, Titan), or a passkey.
Should I store passwords in my browser?+
Modern browser password managers (Chrome, Safari, Firefox) are good and free. A dedicated cross-platform manager (1Password, Bitwarden, Proton Pass) adds features like secure sharing, breach monitoring, and a single vault across devices. Either beats reusing one password across sites.
Sources: NIST SP 800-63B (Digital Identity Guidelines, 2024 revision), UK NCSC Password Administration Guidance, FIDO Alliance Passkey Specifications.