What Makes a Strong Password
Guide · Updated
A strong password is one that is hard to guess and hard to crack by brute force, and the single biggest factor is length, not a tangle of special characters. Modern guidance from NIST (SP 800-63B) favors long passphrases, advises against forced periodic resets, and recommends checking passwords against lists of known breached credentials. A password manager that generates a long random password per account is the most practical way to meet these goals.
Why length matters more than complexity
The strength of a password against guessing attacks is usually described in terms of entropy, measured in bits. Entropy depends on two things: how many possible characters could appear in each position (the character set) and how many positions there are (the length). Every additional character multiplies the number of possible passwords, so length compounds strength faster than almost anything else you can do.
Complexity rules, by contrast, often add far less than people expect. Forcing one uppercase letter, one digit, and one symbol does increase the theoretical character set, but humans satisfy those rules in predictable ways: capitalizing the first letter, putting a number at the end, swapping 'a' for '@'. Attackers know these patterns and bake them into their cracking tools, so a short 'complex' password like P@ssw0rd1 is weak despite ticking every box.
Crucially, this entropy math only holds when the password is actually random. A long password built from a common phrase, a quote, or your dog's name plus a birthday has far less real entropy than its length suggests, because attackers guess words and patterns, not blind character combinations. Length is powerful specifically when the characters or words are chosen unpredictably.
Passphrases: long, memorable, and strong
A passphrase is a password made of several random words, such as four to six words chosen at random from a large list. This 'diceware' style approach (which selects words using dice rolls or another random method) produces credentials that are both long and genuinely random, which is the combination that matters. A six-word passphrase can exceed 75 bits of entropy while still being something a human can read and type.
The key word is random. 'correct horse battery staple' is strong because the words were selected unpredictably from a large dictionary; 'I love my dog so much' is weak because it is a common, guessable phrase. Use a method that picks words by chance rather than composing a sentence yourself.
NIST SP 800-63B explicitly supports this style of secret. It states that verifiers SHOULD permit memorized secrets at least 64 characters in length, and that all printing ASCII characters and the space character SHOULD be acceptable, with Unicode accepted as well. That means systems are expected to allow long passphrases with spaces rather than capping you at a short, awkward limit.
What the current NIST guidance actually says
NIST Special Publication 800-63B sets the U.S. federal baseline for digital identity and password (memorized secret) handling, and its modern recommendations overturn several long-standing habits that quietly made security worse.
Forced periodic resets are discouraged: the guideline says verifiers SHOULD NOT require memorized secrets to be changed arbitrarily, for example on a fixed schedule. Mandatory monthly or quarterly changes tend to push people toward minor, predictable variations (Spring2024, Summer2024), which helps attackers more than it helps you. Passwords should be changed when there is evidence of compromise, not on a calendar.
NIST also advises against imposing composition rules such as requiring mixtures of character types, and instead emphasizes length and screening. When a password is set or changed, verifiers SHALL compare it against a list of values known to be commonly used, expected, or compromised, including passwords from previous breach corpuses. In short: allow long passphrases, stop forcing arbitrary resets and arbitrary symbol rules, and block passwords already known to be exposed.
Password length vs approximate strength
The table below gives illustrative, approximate entropy figures so you can compare strategies. Values assume each character or word is chosen randomly and independently; real-world reused or pattern-based passwords are much weaker than these numbers imply. Entropy is computed as length multiplied by log2 of the set size: about 4.7 bits per random lowercase letter, about 6.6 bits per random character from the ~94 printable ASCII symbols, and about 12.9 bits per word from a ~7,776-word passphrase list. As a rough guide, under roughly 50 bits is weak, the 70s are reasonable, and 100+ bits is strong for most threats.
Treat these as order-of-magnitude comparisons, not guarantees. The headline takeaways: a 16-character random password and a five-to-six word random passphrase both land in genuinely strong territory, while short passwords stay weak no matter how many symbol rules they satisfy.
| Password type | Length | Approx. entropy (bits) | Rough strength |
|---|---|---|---|
| Random lowercase letters | 8 chars | ~38 | Weak |
| Random printable ASCII | 8 chars | ~52 | Weak / borderline |
| Random printable ASCII | 12 chars | ~79 | Reasonable |
| Random printable ASCII | 16 chars | ~105 | Strong |
| Random printable ASCII | 20 chars | ~131 | Very strong |
| Random word passphrase | 4 words | ~52 | Weak / borderline |
| Random word passphrase | 6 words | ~78 | Reasonable / strong |
What to avoid, and the practical setup
Avoid the predictable. Do not reuse the same password across sites, because one breach then unlocks many accounts (credential stuffing). Avoid dictionary words on their own, names, birthdays, sports teams, keyboard walks like qwerty or 12345, and the leetspeak substitutions attackers already expect. Never use a password that has appeared in a known breach, even if it looks complex.
The realistic way to follow every recommendation at once is a password manager. It generates a long, fully random, unique password for each account and stores it encrypted behind one strong master passphrase, so you only have to remember one secret. This eliminates reuse, removes the temptation to pick something memorable-but-guessable, and lets you use the full length sites allow. Pair it with multi-factor authentication wherever offered, so a stolen password alone is not enough.
If you want to generate strong credentials right now, the password generator on this site produces long random passwords you can tune for length and character set. The UUID generator creates random, collision-resistant identifiers useful for tokens and keys, and the hash generator lets you compute checksums to verify data integrity. Use the password generator for the accounts themselves, and let your password manager remember the results.
Frequently asked questions
How long should a password be?
Aim for at least 12 characters for a random password, and 16 or more for important accounts. NIST guidance expects systems to allow at least 64 characters, so longer passphrases are encouraged. For random word passphrases, five to six words gives strong protection while staying memorable.
Is length or complexity more important?
Length matters more. Adding characters multiplies the number of possible passwords far faster than adding symbol rules, and humans satisfy complexity rules in predictable ways that attackers anticipate. A long random password or passphrase beats a short 'complex' one. Complexity only helps when the characters are chosen randomly, not from a guessable pattern.
Does NIST still recommend changing passwords every 90 days?
No. NIST SP 800-63B states that verifiers should not require memorized secrets to be changed arbitrarily, such as on a fixed schedule. Forced periodic resets tend to produce weak, predictable variations. You should change a password when there is evidence it has been compromised, not on a timer.
Are passphrases actually secure?
Yes, when the words are chosen randomly from a large list. A six random-word passphrase can exceed 75 bits of entropy, making it strong while remaining easy to remember and type. The catch is randomness: a self-written sentence or a famous quote is far weaker than randomly selected words, because attackers guess common phrases.
Should I use a password manager?
For most people, yes. A password manager generates a unique, long, random password for every account and stores them encrypted behind a single strong master passphrase. This prevents reuse, defeats credential-stuffing attacks, and lets you use the maximum length each site allows without having to memorize anything beyond your master secret.
How do I know if my password has been breached?
NIST recommends that services screen new passwords against lists of commonly used or previously breached credentials at the time you set them. As a user, you can also check whether your existing passwords appear in known breaches using reputable breach-notification services, and many password managers flag exposed or reused passwords for you automatically.
Try the tools
Sources & references
This guide is general information to help you understand the topic and use the tools — it is not professional (financial, medical, legal, or tax) advice. Verify anything important before relying on it. See our Disclaimer.