Security
How Strong Should My Password Be in 2026?
The advice you learned in 2010 — "8 characters, mixed case, one symbol" — is dangerously out of date. Modern GPUs crack that in seconds. Here's what actually keeps accounts safe today, backed by NIST's 2024 revisions to SP 800-63B.
Length is everything
Password strength is measured in entropy — the number of bits of randomness an attacker has to guess. Every additional random character roughly doubles the guessing work. A 15-character random password takes a modern GPU rig ~200 years to crack offline; an 8-character one falls in hours.
Cracking-time reference (offline, modern GPU rig)
| Length | Lowercase only | Mixed + digits + symbols |
|---|---|---|
| 8 chars | Instant | ~5 hours |
| 10 chars | 3 minutes | ~5 years |
| 12 chars | 3 weeks | ~34,000 years |
| 15 chars | 1,000 years | ~1 billion years |
| 20 chars | Billions of years | Beyond meaningful |
The 2026 checklist
- Minimum 15 characters for anything important (email, banking, work).
- Unique per site. Credential stuffing is the #1 attack vector — reuse means one breach breaks everything.
- Password manager to generate and store them. Human-picked passwords cluster around predictable patterns.
- 2FA everywhere, ideally with a hardware key or authenticator app, not SMS.
- Passkeys where available. They eliminate the password problem entirely.
- Don't force rotation. Change only on breach or suspicion.
Passphrases vs random strings
A four-word Diceware passphrase (~52 bits of entropy) is easier to type on a phone than a random string, and strong enough for most accounts. Six words (~78 bits) matches a 12-character random password. The key word is random — "correcthorsebatterystaple" only works because the words were picked by dice, not by you.
Try it on Toolzer
- Password Generator — cryptographically random passwords of any length.
- Password Strength Checker — client-side entropy analysis.
- Pwned Password Check — see if your password appeared in a known breach.
- Email Breach Checker — check if your email leaked in a data breach.
Frequently asked questions
How long should a password be in 2026?+
NIST recommends a minimum of 15 characters for high-value accounts (email, banking, work). Anything shorter can be cracked offline in hours by a modest GPU rig once a hash leaks.
Are complex passwords (!@#$) still recommended?+
No. NIST removed the complexity requirement in SP 800-63B. Length beats character variety — a 20-character passphrase like 'purple-tiger-eats-mango-slowly' is stronger than 'P@ssw0rd!'.
Are password managers safe?+
Yes — a reputable password manager with a strong master password and 2FA is dramatically safer than reusing passwords or storing them in a browser. The single-point-of-failure risk is real but far smaller than the certainty of credential-stuffing attacks.
What are passkeys?+
Passkeys replace passwords with a device-bound cryptographic key pair using WebAuthn. They can't be phished, reused, or leaked in a breach. Use them wherever offered — Apple, Google, Microsoft, and most major sites now support them.
How often should I change my password?+
Only when there's a reason: a breach notification, a shared device, or suspicious activity. Forced rotation makes users pick weaker passwords, which is why NIST no longer recommends it.
Sources: NIST SP 800-63B (rev. 4, 2024), HaveIBeenPwned statistics 2025, FIDO Alliance passkey adoption report 2025.
