Password Generation Best Practices in 2026

Almost every piece of password advice you grew up with is wrong. "Change your password every 90 days." "Use at least one uppercase letter, one number, and one special character." "Don't write your passwords down." Modern guidance from NIST and security researchers contradicts all three. Forced rotation produces weaker passwords, complexity requirements push users to predictable patterns, and writing passwords down in a secure place is fine — what's catastrophic is reusing the same password across sites.

This guide covers what makes a password actually strong in 2026, why length beats complexity, when passphrases are the right call, and how passkeys are finally starting to make the whole conversation obsolete.

Entropy is the only thing that matters

Password strength comes down to entropy — the logarithm of the number of guesses an attacker needs to try, on average, before hitting yours. A 4-digit PIN has about 13 bits of entropy (10,000 possibilities). A 12-character password drawn from 95 printable ASCII characters has about 79 bits. Adding two more characters of the same alphabet bumps it past 92 bits, which is beyond brute-force reach with current hardware.

Length matters more than alphabet size. A 20-character lowercase-only password has about 94 bits of entropy — stronger than a 12-character password with all special characters, and far easier to type.

Random strings vs passphrases

A truly random 16-character string of mixed alphanumerics and symbols has 95+ bits of entropy and is essentially uncrackable. The downside: you cannot remember it. You will store it in a password manager, and if you ever have to type it manually (on a TV login screen, for example), you'll suffer.

Passphrases — strings of four to seven random common words separated by spaces or hyphens — give you 50–80 bits of entropy from a 20–35 character string that you can actually memorize. "correct horse battery staple" (the famous XKCD example) has about 44 bits of entropy from a 2000-word dictionary, which is good enough for almost any use case. Use a passphrase for accounts you log into without your password manager.

Why complexity rules backfire

When sites require "one uppercase, one number, one special character," users overwhelmingly respond with predictable patterns: capitalize the first letter, append the year, swap an `a` for `@`. Password crackers learned these patterns a decade ago. `Password1!` looks complex but is among the first 1000 guesses any modern cracker tries.

NIST's current Special Publication 800-63B explicitly recommends against complexity rules, in favor of long-length minimums and dictionary-based banned-password lists. Most modern services now follow this guidance, allowing 100-character passwords with no character restrictions but blocking known-breached strings.

Forced rotation is worse than no rotation

Mandatory periodic password changes were policy for decades. Research showed it makes things worse: users compelled to change passwords every 90 days pick patterns they can iterate (`Spring2025!`, `Summer2025!`), which attackers exploit easily.

The correct rule is to rotate only when there's a reason — a known breach affecting that specific account, suspicion of compromise, or an actual compromise. Otherwise leave the long, unique, never-reused password in place.

The one rule that actually matters

Use a unique password for every site. This is the single most important password rule, full stop. Breaches happen. When a site you used five years ago leaks its password database, you don't want that password to also unlock your bank, email, and cloud storage.

Uniqueness is impossible to maintain without a password manager. 1Password, Bitwarden, KeePassXC, the browser-built-in managers — pick one, trust it with everything, and stop trying to remember individual passwords.

Two-factor authentication: still essential

Even a strong password leaks eventually — to phishing, malware, or a database breach. A second factor stops attackers cold. The hierarchy of 2FA quality: hardware security keys (YubiKey, Titan) > device-bound passkeys > authenticator app TOTP codes > SMS codes (avoid when possible — SIM swaps and SMS interception are a real attack).

Always enable 2FA on your email account first. Email reset flows are how most account takeovers happen; protect the root.

Passkeys: making passwords obsolete

Passkeys are public-key credentials stored on your device (or synced via your platform's cloud). When you sign in, your device proves possession of a private key without ever transmitting it. Phishing becomes impossible because the credential is bound to the specific site domain. Database breaches become harmless because the site only stores public keys.

Adoption is finally accelerating. Google, Apple, Microsoft, GitHub, Amazon, and dozens of major services now support passkeys. If a service offers them, use them. They're stronger and easier than any password.

A practical checklist

• Use a password manager. All passwords inside it should be 16+ characters, randomly generated, and unique per site.
• For passwords you must type manually, use a 5–7 word random passphrase.
• Enable 2FA everywhere it's offered. Prefer hardware keys and authenticator apps over SMS.
• Use passkeys instead of passwords wherever supported.
• Stop rotating passwords on a schedule. Rotate only on suspected compromise.
• Check your accounts against haveibeenpwned.com. Rotate any password that appears in a breach.

Wrapping up

The old password rules optimized for a threat model that no longer exists. The modern recipe is simpler: very long unique random passwords stored in a manager, second factors on every account, and passkeys whenever a service supports them.

Need a strong password right now? Our free password generator produces cryptographically random passwords of any length, with character class controls and built-in passphrase mode. It runs entirely in your browser and never logs what it generates.