🔑 How to Create Strong Passwords: The 2026 Guide Based on NIST Standards

NIST Special Publication 800-63B (Digital Identity Guidelines) fundamentally changed password best practices. The old rules — "8 characters, uppercase, lowercase, number, symbol, change every 90 days" — actually made passwords weaker. NIST's research found these rules lead to predictable patterns (Password1!, Summer2024!, letmein!1) that attackers easily crack. Here's the modern approach.

What NIST Actually Recommends (2024 Revision)

The key changes in NIST SP 800-63B (the standard that US federal agencies follow and most enterprises benchmark against):

• Length over complexity: Minimum 8 characters for user-chosen passwords, 6 for randomly generated. No maximum length (within reason — don't send a novel as a password). No composition rules — no required uppercase, numbers, or special characters. A 16-character all-lowercase random password is stronger than any 8-character complex password.
• No forced periodic changes: Don't require password changes every 30/60/90 days. Research shows forced changes lead to weaker passwords (users make minimal, predictable modifications: password1 → password2). Only force a change when there's evidence of compromise.
• Check against breach databases: Verify new passwords haven't appeared in known data breaches. Services like "Have I Been Pwned" maintain databases of hundreds of millions of compromised passwords. If a user tries to set "password123" or "monkey" — both in the top 10 most-breached passwords every year — reject it.
• Support password managers: Allow paste functionality (don't disable Ctrl+V in password fields — this was always security theater). Support very long passwords and all printable ASCII characters including spaces.

Method 1: Password Manager (The Single Best Thing You Can Do)

A password manager generates, stores, and auto-fills unique 20+ character random passwords for every account. You memorize one strong master password; the manager handles everything else. Three solid options:

• Bitwarden: Free, open-source, audited by Cure53 (independent security firm). Unlimited devices on free tier. Premium ($10/year) adds advanced 2FA and emergency access. Self-hosting option available.
• 1Password: Polished UX, travel mode (removes sensitive vaults when crossing borders), Watchtower breach monitoring. $2.99/month. Widely considered the best UX in the category.
• Apple Passwords / iCloud Keychain: Built into iOS 18+/macOS Sequoia+. Free for Apple users. Now a standalone app with shared family passwords, verification codes (TOTP), and breach monitoring. Good enough for most users in the Apple ecosystem.

Method 2: The Passphrase Method (When You Can't Use a Manager)

For passwords you must memorize (master password, computer login, encryption key): use 4-7 randomly chosen words separated by spaces or hyphens. "correct horse battery staple" (the famous xkcd #936 example) is the model. Here's the math: pick from a 7,776-word list (the EFF's published Diceware wordlist), 4 random words = log₂(7776⁴) = 51.7 bits of entropy. At 10 billion guesses/second (a well-resourced attacker with specialized hardware), cracking time = 2^51.7 / (10×10⁹) / 2 ≈ 10³ years (average). Add 2 more words = 77.5 bits = effectively uncrackable. The key: the words must be TRULY random — not a song lyric, movie quote, or family names. Use dice or a random word generator.

Method 3: Random Password Generator (Maximum Entropy)

For accounts stored in a password manager, use the Password Generator to create 16-32 character random passwords with mixed character sets. These have 95+ bits of entropy and are not memorable — by design. A 20-character password from a 70-character set has log₂(70²⁰) ≈ 122 bits of entropy. At current computing speeds, that's effectively impossible to brute-force.

Two-Factor Authentication: The Critical Second Layer

Even a perfect password can be stolen — phishing, data breaches, keyloggers. 2FA means even with your password, an attacker can't log in without the second factor. Ranked by security:

• 🥇 Security key (FIDO2/WebAuthn): A physical device (YubiKey, Google Titan, Apple passkey). Phishing-resistant by design — the key verifies the domain before authenticating. Google's internal deployment of security keys eliminated successful phishing of 85,000+ employees (a published case study from 2017, confirmed in subsequent years).
• 🥈 Authenticator app (TOTP): Time-based one-time passwords from Google Authenticator, Authy, or built-in password manager TOTP. Better than SMS (not vulnerable to SIM swapping). The code changes every 30 seconds.
• 🥉 SMS / Email codes: Better than no 2FA, but vulnerable to SIM swapping (SMS) and email account compromise. Upgrade to an authenticator app as soon as practical.

Enable 2FA on: email (especially — it's the master key to password resets for all your other accounts), banking, social media, domain registrar, code hosting (GitHub/GitLab), and any service storing payment information. Authy or your password manager's built-in TOTP feature makes managing 2FA codes straightforward.

Check If You've Already Been Compromised

Visit haveibeenpwned.com (run by security researcher Troy Hunt). Enter your email address. The site checks it against a database of 12+ billion compromised accounts from known data breaches. If your email appears in any breach, change the password for that account AND any account where you reused that password. Enable 2FA immediately. This is free, private, and should be part of your annual security hygiene routine.