Most of us learned password rules a decade ago: add a capital, a number, a symbol, change it every 90 days. Much of that advice is now outdated — and some of it actively makes passwords worse. Here's what actually protects you in 2026.
Length beats complexity
The single most important factor is length. Each extra character
multiplies the number of possible combinations an attacker must try. A long, simple
passphrase like correct-horse-battery-staple is far harder to crack than a
short, "complex" password like P@ss1! — and much easier to remember.
Aim for at least 12–16 characters, and longer for important accounts.
Why "complex" rules backfire
Forcing symbols and frequent changes pushes people toward predictable patterns:
Password1!, then Password2!. Attackers know these patterns.
Modern guidance (including from NIST) now favours long passphrases and dropping forced
periodic resets unless there's a breach.
The rules that actually matter
- Make it long — a passphrase of several random words works well.
- Make it unique — never reuse a password across sites. One breach shouldn't unlock everything.
- Make it random — avoid names, birthdays, pet names and common words an attacker could guess or find on your social media.
- Turn on two-factor authentication (2FA) — even a perfect password can leak, and 2FA stops a stolen one from being enough.
You can't remember dozens of these — so don't
The honest truth is that no one can memorise a unique 16-character password for 100 accounts. The realistic answer is a password manager: it generates and stores strong, unique passwords, and you remember just one master passphrase.
Generate a strong one now
Need a strong password this second? Our free password generator creates random, hard-to-crack passwords right in your browser — nothing is sent anywhere — with control over length and character types.