What makes a strong password?

The math of password strength

Password strength is measured by entropy — how many guesses an attacker needs on average to find your password.

A 6-character lowercase password has about 28 bits of entropy — guessable in seconds with modern hardware.

A 16-character random password (mixed case + numbers + symbols) has about 100 bits — would take longer than the age of the universe to brute-force at current speeds.

Length doubles entropy faster than complexity. A 20-character lowercase-only password is stronger than a 12-character password with all character classes.

Why 'memorable strong passwords' usually aren't

Famous example: 'Tr0ub4dor&3' looks complex but has only ~28 bits of entropy because it's based on a dictionary word with predictable substitutions. Crackers know to try i→1, e→3, etc.

Better: 'correct horse battery staple' (the XKCD example) — 4 random words, ~44 bits of entropy, easy to remember. Modern crackers do try this pattern, so you need 5-6 random words for 2026.

Best: 'random characters from a password manager' — no pattern, no memorability needed because you don't memorize it.

The unique requirement

A perfect strong password used on 50 sites is weakened to whatever the worst-secured of those sites does with it.

If site #47 stores passwords in plaintext and is breached, your strong password is now a known credential that attackers will try on Gmail, banking, etc.

Unique passwords stop credential-stuffing attacks (~5% success rate against accounts with reused passwords) entirely.

The only practical way to have unique 16+ character random passwords for every account is a password manager.

The master password / passphrase

Your password manager itself needs one password — the master one. This one needs to be both strong AND memorable.

Use a 5-7 random word passphrase: 'tractor-saturday-velocity-bookmark-pavement.' That's ~70 bits of entropy and you can actually remember it.

Write it down once on paper, in a safe place. Backup in a sealed envelope at a relative's house.

Never reuse this passphrase anywhere else.

What about password expiry policies?

NIST in 2017 explicitly recommended against forced periodic password rotation for users — it leads to weaker passwords (people add '!1', '!2', etc.) without security benefit.

Rotate only when there's reason to: a breach, suspected compromise, or shared credential turnover.

If your workplace forces 90-day rotation, push back with the NIST 800-63B guidance. Many IT teams have updated their policies based on this.

Common myths to drop

'Adding ! and a number makes a password strong': only marginally. Length is the bigger factor.

'Capitalize one letter to be safe': adds about 1 bit of entropy. Negligible.

'Don't use real words': fine if you use 6+ random ones; useless to avoid them in a 6-character password.

'Strong passwords I made up are unguessable': they aren't. Humans pick predictable passwords; password crackers know your patterns better than you do.

The 2026 strong-password recipe

Master password: 5-7 random word passphrase, written on paper in a safe place.

Every other account: 16-20 character random password generated by your manager. You never type these directly — manager autofills.

Phishing-resistant 2FA on every account that supports it (passkey or hardware key).

Rotate only on breach signal (Have I Been Pwned alert, suspicious activity, or shared credential turnover).

Audit quarterly: open password manager → check for reused passwords (most have a security report).

Frequently asked questions

What's the minimum password length I should use?

16 characters random for accounts; 5+ random words for the master password. Below that, 2026 cracking hardware can succeed within weeks for high-value targets.

Is 'P@ssw0rd123!' strong?

No. It's a dictionary-based password with predictable substitutions, easily cracked. Don't make passwords yourself; let a password manager generate them.

What about biometric login (fingerprint, face)?

Biometric isn't a password — it unlocks the password manager or device. Behind the biometric is still a strong password or passkey. Use biometric for convenience, not as the primary credential.

Do password managers themselves get breached?

Some have. LastPass had a major incident in 2022-2023. The architecture matters: zero-knowledge means the vendor can't decrypt your vault. Bitwarden, 1Password, Proton Pass have stronger architectural protections.

I use the same password everywhere — where do I start?

Email and banking first, today. Then gradually migrate other accounts as you log in to them, generating unique passwords via a manager.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides