Security

How to Create a Strong Password in 2026 (That Actually Works)

2026-05-03 · 9 min read · Generate secure password →

Every year, billions of passwords are exposed in data breaches. The most common passwords in those breaches — 123456, password, qwerty — have not changed in a decade. But even developers who know better often use patterns that seem strong but are cracked in seconds by modern tools. This guide explains what actually makes a password strong in 2026, gives you the formulas that work, and shows you how to manage hundreds of unique passwords without memorising them.

Why "Strong" Passwords Fail

The traditional advice — use uppercase, lowercase, numbers, and a symbol — sounds good but produces predictable passwords. P@ssw0rd!, Summer2024!, and Tr0ub4dor&3 are all dictionary entries at this point. GPU-powered cracking rigs test billions of guesses per second against these patterns. A gaming PC with an RTX 4090 tests 100+ billion MD5 hashes per second.

What matters is entropy — the mathematical measure of unpredictability. A password's entropy is determined by two things: the size of the character set it draws from, and its length. Longer passwords from larger character sets are exponentially harder to crack. The exponent is the key word — each additional character multiplies the search space, not adds to it.

The Two Password Strategies That Actually Work

Strategy 1: Random character passwords (with a password manager)

A randomly generated 16-character password using all character types (uppercase, lowercase, digits, symbols) has about 105 bits of entropy. Current hardware cannot brute-force this in any realistic timeframe. The trade-off: you cannot memorise it, so you need a password manager.

Generate one right now: ToolPry's Password Generator uses the Web Crypto API to generate cryptographically random passwords entirely in your browser — the password is never transmitted. Aim for 16 characters minimum, 20+ for banking and email accounts.

Strategy 2: Passphrases (for passwords you must remember)

A passphrase is four or more random words: correct-horse-battery-staple. Four random common words produce roughly 44 bits of entropy — modest, but the passphrase is far easier to type and remember. Six random words reach 77 bits, which is extremely strong.

The critical requirement is randomness. "I love coffee and chocolate" is weak because it follows natural language patterns. Use dice or a generator to pick words from a large wordlist (the Diceware standard uses a 7,776-word list). Predictable word combinations are cracked quickly by dictionary attacks — random ones are not.

NIST now recommends minimum 15+ characters and checking against known breach databases rather than requiring specific complexity rules. Length matters more than character variety.

Password Entropy: Understanding the Numbers

Password example	Entropy	Time to crack (modern GPU)
password123	~10 bits	Instant (in dictionary)
P@ssw0rd!	~20 bits	Instant (known pattern)
kX9#mL2@	~52 bits	Hours to days
kX9#mL2@vQ4$nP7!	~105 bits	Billions of years
correct-horse-battery-staple	~77 bits	Millions of years
six random words passphrase	~77–90 bits	Effectively uncrackable

Entropy is calculated as: log₂(alphabet_size) × length. For a 16-character password using 94 printable ASCII characters: log₂(94) × 16 ≈ 105 bits. For each four-word Diceware passphrase: log₂(7776) × 4 ≈ 52 bits. Add more words to increase entropy linearly.

Password Managers: Non-Negotiable for Security

The fundamental problem: you cannot memorise 150 unique, strong passwords — one for every account you have. Without a password manager, people reuse passwords. Password reuse means a breach at a low-security site (a forum, a small e-commerce store) exposes your email, banking, and work accounts through credential stuffing attacks.

A password manager generates, stores, and auto-fills strong unique passwords for every account. You only need to remember one strong master password — everything else is managed automatically.

What to look for

Zero-knowledge architecture: your passwords are encrypted on your device before reaching the manager's servers. Not even the company can read your vault. End-to-end encryption: AES-256 is the standard. Breach monitoring: alerts you when your accounts appear in known breach databases. Browser extension and mobile app: auto-fill is the difference between using a password manager consistently and abandoning it.

Recommended managers in 2026

Bitwarden: open-source, independently audited, full-featured free tier, self-hostable. Best choice for most people. 1Password: excellent UX, strong security, good for teams and families, paid only. KeePassXC: fully offline and open-source, no cloud dependency, ideal if you want complete control.

Avoid storing passwords in your browser's built-in password manager for sensitive accounts. Browser managers lack breach monitoring, cross-browser support, and the security focus of dedicated tools.

Two-Factor Authentication

A strong password is the first layer. Two-factor authentication (2FA) is the second. Even if your password is stolen through a phishing attack or data breach, an attacker without your second factor cannot access your account.

Use an authenticator app (Google Authenticator, Authy, or Bitwarden's built-in TOTP) rather than SMS. SMS 2FA is vulnerable to SIM-swapping attacks where attackers convince your carrier to transfer your phone number to their SIM card. Hardware security keys (YubiKey, Passkeys) are even stronger — they are phishing-resistant by design.

Enable 2FA everywhere it is offered, starting with your email (most important — controls account recovery for everything else), banking, and your password manager itself.

What to Change Right Now

If you do nothing else: install Bitwarden, set a strong 6-word passphrase as your master password, then over the next week replace your three most critical passwords — email, banking, and work login — with randomly generated 20-character passwords. Enable authenticator-based 2FA on those same accounts. This sequence reduces your real-world risk more than anything else you could do.

For developers building authentication systems: never store plaintext passwords. Use bcrypt, Argon2, or scrypt — never MD5 or SHA-1 (see our Hash Generator for understanding what these produce). Enforce minimum 12-character passwords. Check against the HaveIBeenPwned breached password database at registration. Implement account lockout after repeated failures.

Recognising Weak Password Patterns

These patterns feel clever but are well-known to crackers: substituting letters with numbers (@ for a, 0 for o, 3 for e); appending the year or a single digit or symbol (Summer2024!); using your name, pet's name, or birthday with variations; keyboard walks (qwerty, asdfgh, zxcvbn); and any word in any language with predictable modifications. All of these are explicitly handled in modern cracking dictionaries.

The only pattern that cannot be in any cracking dictionary is genuine randomness — either a randomly generated character password or a passphrase assembled from truly randomly selected words. Use ToolPry's Password Generator to generate both types, view the entropy score, and copy with one click.

Special Cases: Passwords You Type Frequently

Most passwords should be in a password manager and auto-filled — you never type them. But some passwords you will type regularly: your computer login, your password manager master password, and possibly a work VPN or hardware security key PIN. For these, a long passphrase beats a random character password on usability without sacrificing meaningful security.

A 6-word Diceware passphrase like correct-horse-battery-staple-valley-river reaches 77+ bits of entropy, is resistant to all but the most determined nation-state adversaries, and can be typed from memory without looking at a screen. Random character passwords of equivalent strength require 13+ characters of full ASCII, which is significantly harder to type without mistakes, especially on mobile keyboards or in contexts where you cannot paste.

For your password manager master password specifically: use a 6-word passphrase, write it on paper and store it in a physically secure location (a safe, a lockbox), and never store it digitally. The paper copy is your recovery mechanism if you forget it or lose your device.

Checking If Your Passwords Have Been Exposed

HaveIBeenPwned (haveibeenpwned.com) maintains a database of over 12 billion passwords from real data breaches. You can check whether a specific password appears in any known breach — importantly, it does this securely using a k-Anonymity model where you only send the first 5 characters of the password hash, not the password itself.

Most major password managers (Bitwarden, 1Password, Dashlane) include automatic breach monitoring that checks your stored passwords against this database and alerts you when a credential appears in a new breach. Enable this feature and act on its alerts promptly — change any exposed password immediately.

Frequently Asked Questions

How long should a password be?

For randomly generated passwords stored in a password manager: 16 characters minimum, 20+ for your most sensitive accounts (email, banking, work). For passphrases you need to memorise: 4 random words minimum, 6 words for high-security accounts. Length matters more than character variety — a 20-character lowercase-only random password is stronger than a 12-character password with all character types.

Should I change my passwords regularly?

NIST's current guidelines say: do not force regular rotation unless you have reason to believe a password has been compromised. Mandatory periodic rotation (every 90 days) was the old advice and it backfired — users responded by making predictable small changes (adding a number to the end, capitalising the first letter) that provide essentially zero security improvement. Change a password when you know or suspect it has been exposed, or when you leave a job. Otherwise, stable strong unique passwords are better than frequently changed weak ones.

Is it safe to use a password manager in the cloud?

Yes, if the manager uses zero-knowledge architecture. Zero-knowledge means your passwords are encrypted on your device using a key derived from your master password before being sent to the cloud. The provider's servers only ever see encrypted data — even if they are hacked, the attackers get only encrypted blobs that cannot be decrypted without your master password. Bitwarden and 1Password both use this model and have undergone independent security audits. The risk of not using a cloud password manager — reusing passwords across sites — is far greater than the theoretical risk of a well-implemented zero-knowledge cloud manager.

What makes a passphrase different from a phrase I made up?

Randomness is everything. A passphrase you compose yourself — based on a favourite quote, a memorable sentence, words that relate to each other — has far less entropy than it appears because humans are predictable. We overuse certain words, certain structures, certain topics. An attacker running a targeted attack against you would try phrases connected to your known interests, your name, your location, and common quote sources. A passphrase generated by rolling dice or using a proper random word generator has no such patterns and cannot be targeted.

What should I do if a site forces complex password rules (must have symbol, uppercase, etc.)?

Use a random generator (like ToolPry's Password Generator) with all character types enabled, at the maximum length the site allows, and store the result in your password manager. Do not try to construct a memorable password that satisfies the rules — that reliably produces weak passwords. Let the generator handle the complexity requirements automatically.