Passwords are the most attacked layer of digital security. In 2025, over 80% of data breaches involved weak, reused, or stolen credentials. Yet the advice most people follow — adding a number and exclamation mark to a word they remember — creates passwords that modern cracking tools defeat in seconds. This guide covers what actually works in 2026.
How Password Cracking Works in 2026
Understanding the attack tells you what to defend against. Modern password attacks use three main techniques: dictionary attacks (trying millions of known passwords and variants), brute force (trying every combination systematically), and credential stuffing (using passwords leaked from other breaches).
Modern GPU-powered cracking rigs test billions of password guesses per second against stolen password hashes. A home gaming PC with an RTX 4090 can test 164 billion MD5 hashes per second. This means:
| Password | Time to crack | Why |
|---|
| password123 | Instant | In every dictionary |
| P@ssw0rd! | Instant | Common substitution pattern |
| soccer2026! | Minutes | Word + year + symbol pattern |
| kX9#mL2@vQ | Months | Random but only 10 chars |
| correct-horse-battery-staple | Centuries | Long passphrase, high entropy |
| hJ8$kP2!nQ4@wM7# | Billions of years | 16 random chars, full charset |
The Two Best Password Strategies
Strategy 1: Random character passwords + a password manager
A 16+ character password using uppercase, lowercase, numbers, and symbols from a cryptographically random generator is essentially uncrackable by brute force. The catch: you cannot memorize dozens of these. That is why this strategy requires a password manager to store and fill them automatically.
Generate one now with ToolPry's Password Generator — it runs entirely in your browser using the Web Crypto API, so the password is never sent anywhere. Aim for 16 characters minimum, 20+ for high-value accounts.
Strategy 2: Passphrases for passwords you must memorize
A passphrase is four or more random words joined together: correct-horse-battery-staple. This approach was popularized by XKCD and endorsed by NIST (the US National Institute of Standards and Technology). Four random common words produce roughly 44 bits of entropy — equivalent to an 8-character random password — but the passphrase is far easier to remember and type.
The key word is random. "I love coffee and chocolate" is not a strong passphrase because it follows predictable patterns. Roll dice or use a generator to pick words genuinely at random from a large wordlist (Diceware is the standard method).
NIST Password Guidelines 2026
NIST updated its Digital Identity Guidelines (SP 800-63B) and the new recommendations contradict much of what you were taught:
What NIST now recommends: Minimum 8 characters (15+ preferred). Allow all printable ASCII and Unicode. Check passwords against known breach databases. Do not require periodic rotation unless compromise is suspected. Do not require specific complexity rules (uppercase + symbol etc.).
What NIST now says to stop doing: Mandatory 90-day password rotations (they cause users to make predictable small changes). Complexity requirements that don't actually improve entropy. Security questions (easily guessed or researched). SMS as the sole second factor (vulnerable to SIM-swapping).
Password Managers: Your Most Important Security Tool
A password manager solves the fundamental human problem: you cannot memorize 200 unique strong passwords, so most people reuse passwords. Reuse means a single breach of a low-security site exposes your high-security accounts through credential stuffing.
What to look for in a password manager
End-to-end encryption means your passwords are encrypted on your device before reaching the manager's servers — even they cannot read your vault. Zero-knowledge architecture means the provider has no technical ability to decrypt your data. Cross-device sync via browser extensions handles auto-fill everywhere. Breach monitoring alerts you when your accounts appear in known breach databases.
Reputable options in 2026
Bitwarden is open-source, independently audited, has a fully functional free tier, and can be self-hosted. It is the recommended choice for most users. 1Password is polished, excellent for teams and families, and has strong security practices. KeePassXC is fully offline and open-source — ideal if you want zero cloud dependency. All three use AES-256 encryption and zero-knowledge architecture.
Avoid: Browser-built-in password managers for anything sensitive — they lack breach monitoring, cross-browser support, and the security focus of dedicated tools. Also avoid saving passwords in plain text files, spreadsheets, or notes apps.
Two-Factor Authentication (2FA)
Even a perfect password can be stolen through phishing or data breaches. Two-factor authentication means an attacker needs both your password and access to your second factor — dramatically raising the cost of an attack.
2FA methods ranked by security
| Method | Security | Notes |
|---|
| Hardware security key (YubiKey, Passkey) | Excellent | Phishing-resistant, fastest to use once set up |
| Authenticator app (TOTP) | Very good | Authy, Google Authenticator, Bitwarden TOTP |
| SMS / text message | Weak | Vulnerable to SIM-swapping attacks |
| Email codes | Weak | Only as secure as your email account |
Enable 2FA on every account that supports it, prioritising email, banking, social media, and your password manager itself. Use an authenticator app (TOTP) at minimum — avoid SMS where possible.
Passkeys: The Password-Free Future
Passkeys are cryptographic credentials stored on your device that replace passwords entirely. When you log in, your device authenticates with a private key that never leaves your hardware — making phishing mathematically impossible. Google, Apple, Microsoft, and most major services now support passkeys. Where available, a passkey is more secure than even a perfect password with 2FA.
What to Do Right Now
If you do nothing else after reading this: install Bitwarden, generate a strong master passphrase (four+ random words), import your existing passwords, then spend 30 minutes replacing your most critical account passwords (email, banking, work) with randomly generated 20-character passwords from Bitwarden's built-in generator or ToolPry's Password Generator. Enable 2FA on those same accounts. That sequence materially reduces your risk more than any other single action.
For developers building systems that handle passwords: never store plaintext passwords. Use bcrypt, Argon2, or scrypt for hashing — never MD5 or SHA-1. Enforce minimum length (12+ characters). Check passwords against HaveIBeenPwned's breached password API at registration. See also our guide to hash generation for understanding what secure hashing looks like.
Password Security for Specific Account Types
Not all accounts deserve the same level of attention. Prioritise by consequence: what is the worst that could happen if this account is compromised?
Email accounts are the highest-value target. Your email controls account recovery for virtually everything else. An attacker who accesses your email can reset passwords for your bank, social media, work accounts, and password manager. Treat your primary email account as your most critical credential: longest password (20+ characters), strongest 2FA (hardware key or authenticator app, never SMS), recovery phone and backup email set correctly.
Password managers are the second-highest priority. Your master password is the one you must memorise. Use a 6-word Diceware passphrase — long enough to be strong, memorable enough to type from memory. Write the passphrase on paper and store it physically securely. Enable 2FA on the manager itself.
Financial accounts — banking, investment, payment services — use maximum-length random passwords and authenticator-based 2FA. Never use SMS for banking 2FA if an alternative is offered. Check whether your bank supports hardware security keys.
Work accounts are governed by your organisation's security policy, but you can still apply good practices: unique passwords per system, a hardware token if supported, and immediate reporting of any suspected compromise.
Social media matters more than people realise. A compromised social account can be used to scam your contacts, spread misinformation under your identity, or as a stepping stone to other accounts via OAuth login connections.
Low-value accounts (newsletters, forums, trial sign-ups) — let your password manager generate random passwords. If you do not care about the account being compromised, the main concern is that your email address not be used for spam or credential stuffing attacks against your more important accounts.
Responding to a Breach
When you receive a breach notification or discover your credentials in a breach database, act immediately. Change the password for the breached service first. Then — critically — identify every other service where you used the same password and change those too. This is exactly why password reuse is so damaging: one breach cascades into many. If you use a password manager with unique passwords everywhere, a breach affects only one account.
Check haveibeenpwned.com with your email address to see all known breaches where your credentials appeared. Subscribe to breach notifications on the site — you receive an email when your email address appears in a newly disclosed breach database.
After a breach, monitor the affected accounts for suspicious activity: unfamiliar login locations, password reset emails you did not request, changes to account recovery information. Enable login notifications where available so you are alerted to new device sign-ins.
Password Security for Developers
If you are building a system that handles user passwords, the choices you make have serious consequences for your users. These are non-negotiable best practices in 2026.
Never store plaintext passwords. Store only the hash output. If your database is breached and you stored plaintext, every user's password is immediately exposed. If you stored proper hashes, the attacker must crack each hash individually — a slow, expensive process that buys your users time to change their passwords.
Use a password-specific hashing algorithm. MD5 and SHA-256 are general-purpose cryptographic hash functions designed to be fast — bad for passwords. A GPU can compute billions of SHA-256 hashes per second, making brute-force attacks trivial. Use bcrypt, Argon2id, or scrypt. These are intentionally slow and memory-hard, designed to make brute-force attacks computationally expensive. Argon2id is the current NIST recommendation. Use the Hash Generator to understand what different algorithms produce.
Use a unique salt per password. Salting adds a random value to each password before hashing, ensuring that two users with identical passwords produce different hash values. This prevents rainbow table attacks and means the attacker must crack each hash individually rather than using precomputed tables. bcrypt and Argon2 handle salting automatically.
Set a work factor appropriate to your hardware. bcrypt's cost factor and Argon2's memory/time parameters should be set so that hashing takes approximately 100–300ms on your server hardware. As hardware gets faster, increase the work factor periodically. This means brute-force attacks remain expensive even as computing power improves.
Check against breached password databases. At registration and password change, check the candidate password against the HaveIBeenPwned Passwords API using the k-Anonymity model. Only the first 5 characters of the SHA-1 hash are sent — your server never transmits the actual password. Reject passwords that appear in breach databases regardless of their apparent complexity.
Frequently Asked Questions
How often should I change my passwords?
NIST's current guidelines say do not change passwords on a fixed schedule unless you have reason to believe a password has been compromised. Mandatory 90-day rotation was standard advice for a decade and actively made security worse — users responded with predictable incremental changes (Password1!, Password2!) that provide no real protection. Change a password immediately if: you received a breach notification, you suspect unauthorised access, or you shared a password temporarily and need to revoke access.
Is a long simple password better than a short complex one?
Yes, significantly. Password strength is measured in entropy — the number of possible combinations. A 20-character lowercase-only random password has 26²⁰ ≈ 19 septillion combinations. A 10-character password with all character types has 94¹⁰ ≈ 54 quadrillion combinations. The longer password has over 350,000× more combinations despite using a smaller character set. Length beats complexity.
Can I write my passwords down?
Writing down your master passphrase for a password manager — on paper, stored physically securely — is a reasonable backup strategy. It is far safer than reusing passwords or using weak passwords. Physical security of that paper matters: a locked drawer, a safe, or a safe deposit box. Never photograph it or store it digitally. What you should avoid is writing down individual site passwords on sticky notes near your computer or in a plaintext file on your desktop.
Are password managers safe if the company gets hacked?
A zero-knowledge password manager with proper implementation remains safe even if the company is breached — the attacker gets only encrypted blobs. The key word is zero-knowledge: your passwords are encrypted locally using a key derived from your master password before reaching their servers. Without your master password, the encrypted data is useless. LastPass's 2022 breach is instructive: attackers obtained encrypted vault data, but users with strong master passwords remain protected. Users with weak master passwords are at risk — which underlines why the master password must be genuinely strong.