Let me save you some time: if your password policy still says "minimum 8 characters, at least one uppercase, one number, and one special character," you're following advice from 2004. NIST updated their guidelines back in 2017, and yet most websites still enforce the old rules.
Here's what we know in 2026.
Length Beats Complexity
A 12-character password made of random words (like correct-horse-battery-staple) is harder to crack than P@ssw0rd! even though the second one "passes" most complexity rules. The math is simple: each additional character multiplies the number of possible combinations exponentially.
Modern password crackers use dictionaries, known patterns, and rules to guess passwords. P@ssw0rd! matches the pattern of "common word + leet speak + symbol" and would be cracked in seconds. Four random words? That's a search space of roughly 10^20 combinations.
What Actually Makes a Password Strong
- 1.Length: 16+ characters is the sweet spot. Some security researchers recommend 20+.
- 2.Randomness: Human-chosen passwords follow predictable patterns. Use a generator.
- 3.Uniqueness: Never reuse passwords across services. One breach exposes all of them.
The Password Manager Argument
I know, I know — "I can't remember 50 unique 20-character passwords." You're not supposed to. That's what password managers are for. You remember one strong master password, and the manager handles the rest.
If you're a developer building authentication, here are the things that actually matter:
- •Don't limit password length: Let users enter 128 characters if they want. You're hashing it anyway.
- •Don't ban pasting: Password managers need to paste. Blocking paste is actively harmful.
- •Check against breach databases: Use the HaveIBeenPwned API to reject known-compromised passwords.
- •Hash properly: bcrypt, scrypt, or Argon2. Never MD5 or SHA-256 for passwords.
About Entropy
Password strength is measured in bits of entropy. Here's a rough guide:
| Entropy | Strength | Example |
|---|---|---|
| 28 bits | Terrible | `password1` |
| 40 bits | Weak | `Monkey2024!` |
| 60 bits | Good | `kJ7#mP9x@qL2` |
| 80+ bits | Excellent | `correct-horse-battery-staple-river` |
A good password generator will show you the entropy of what it creates. If you're seeing 80+ bits, you're in good shape.
The Practical Advice
For your personal accounts: use a password manager and generate random 20-character passwords for everything. Memorize only your master password (make it a long passphrase).
For applications you build: enforce minimum length (12+), check against breach databases, use proper hashing, and let users paste. Stop requiring weird character rules that lead to January2026! passwords.