Password advice from a decade ago no longer holds. "Use 8 characters with a number and a symbol" was reasonable guidance in 2012 — in 2026, that same password can be cracked by an off-the-shelf GPU rig in under 8 hours. This guide explains how password strength actually works in 2026, what entropy means in practice, and how to choose passwords that hold up against modern hardware without making you miserable.
What Makes a Password Strong?
Password strength is measured in bits of entropy — a single number that captures how many guesses an attacker would need, on average, to find your password by brute force. Every bit of entropy doubles the search space. A password with 40 bits of entropy has roughly 1 trillion possible combinations; 60 bits has 1 quintillion; 80 bits has 1 septillion.
Entropy is calculated as: log2(poolSize) * length. The pool size is the number of different characters your password could contain. Lowercase letters = 26. All printable ASCII (uppercase + lowercase + digits + symbols) = 95. A 16-character password using all 95 printable ASCII characters has log2(95) * 16 which is approximately 105 bits of entropy.
Why entropy matters more than "complexity rules": entropy captures true randomness. A password like P@ssw0rd123! satisfies most complexity policies but has less than 30 bits of entropy because attackers know to try these patterns first. A password like 7xKmPq!vN2bRwL9j has the same length and character types but approximately 105 bits of entropy because it's actually random.
Crack Times Against Modern Hardware (2026)
Crack time depends on three things: entropy, attack speed, and whether the attacker has the hashed password (offline attack) or is guessing against a live login form (online attack). Modern hardware numbers as of 2026:
| Hardware | Hashes/second (SHA-256) | Hashes/second (bcrypt, cost 12) |
|---|---|---|
| Single RTX 4090 GPU | ~5 billion | ~50,000 |
| 8x RTX 4090 rig | ~40 billion | ~400,000 |
| Cloud cluster (100 GPUs) | ~500 billion | ~5 million |
Using those numbers against different entropy levels (assuming bcrypt with cost 12, which is what well-configured modern services use):
| Entropy | Example | Crack Time (Single GPU) | Crack Time (100 GPU cluster) |
|---|---|---|---|
| 40 bits | 8-char lowercase random | 5 hours | 3 minutes |
| 56 bits | 8-char full ASCII random | 15 years | 55 days |
| 64 bits | 10-char passphrase (4 words) | 9,000 years | 90 years |
| 80 bits | 12-char full ASCII random | 580 million years | 5.8 million years |
| 105 bits | 16-char full ASCII random | ~10^21 years | ~10^19 years |
Passwords vs Passphrases — When to Use Each
Passphrases are sequences of random words (e.g. correct-horse-battery-staple). They trade character complexity for length, which is mathematically equivalent but psychologically different. A 4-word passphrase from the EFF's 7,776-word list has log2(7776) * 4 which is approximately 51 bits of entropy — equivalent to an 8-character random password, but easier to remember and type.
Use a passphrase when: you must memorize it (master password, phone unlock), you type it daily (so length matters less than memorability), or you're sharing it verbally. Generate passphrases from a known word list — the EFF diceware list is the standard.
Use a random password when: a password manager stores and autofills it (no memorization needed), the password is for a service account or API key (no human types it), or you need maximum entropy per character (database encryption, disk encryption). For these cases, a 16-20 character random password with all character types is the right choice.
NIST Guidelines (SP 800-63B) — What Changed
NIST Special Publication 800-63B (last revised in 2020, with ongoing interpretation updates) reversed several long-standing password practices. The key changes:
- No mandatory periodic resets. Forced password changes lead to weaker passwords (users cycle through predictable variants). Change only on suspected compromise.
- No complexity rules. Requiring "1 uppercase, 1 number, 1 symbol" doesn't increase entropy — it just creates predictable patterns. Length and randomness matter; composition rules don't.
- Allow all ASCII characters including spaces. Don't restrict which characters users can use. Spaces in passwords are fine and add entropy.
- Minimum 8 characters. NIST's floor. For higher-value accounts, 12+ is the practical minimum.
- Check against breached password lists. Use a service like Have I Been Pwned to reject passwords that appear in known breach corpora.
- Allow paste in password fields. Disable the "paste prevention" some sites add. Password managers need paste to work.
Why You Need a Password Manager
The single most impactful security upgrade you can make in 2026 is installing a password manager. The math is brutal: if you reuse one password across 50 sites and one of those sites is breached, attackers credential-stuff your password against the other 49 within hours. The only defense is a unique password per site — which requires a password manager because humans can't memorize 50+ random 16-character strings.
Popular password managers (all support random password generation):
- Bitwarden — open source, free tier, $10/year premium. Best for most users.
- 1Password — $36/year, polished UX, family plans. Best for non-technical users.
- KeePassXC — local-only, open source, free. Best for privacy maximalists.
- Apple Passwords / iCloud Keychain — built into Apple devices. Best if you're fully in Apple's ecosystem.
For one-off password generation (when you don't want to open your full password manager), use our browser-based Password Generator — it uses the Web Crypto API's cryptographically secure random source, shows real-time entropy strength, and never transmits the generated password anywhere.
Two-Factor Authentication — The Second Layer
A strong password is necessary but not sufficient. Enable 2FA on every account that supports it. The hierarchy of 2FA methods, from most to least secure:
- Hardware security keys (YubiKey, Titan) — phishing-resistant, the gold standard.
- TOTP authenticator apps (Authy, 1Password, Aegis) — time-based codes, widely supported.
- SMS-based 2FA — vulnerable to SIM-swapping, but better than no 2FA.
- Email-based 2FA — weak, only use if nothing else is offered.
For accounts that hold financial value (bank, crypto exchange, primary email), use a hardware security key. For everything else, an authenticator app is sufficient. Avoid SMS-based 2FA for high-value accounts — SIM-swapping attacks are well-documented and increasingly common.
What NOT to Do
- Don't reuse passwords across sites. One breach exposes every account using that password.
- Don't use "password + site name" patterns. Attackers know this trick and try variants like "passwordFacebook", "passwordGitHub" automatically.
- Don't store passwords in browser autofill on shared devices. Browser password stores are encrypted with your OS login — anyone with your OS account can read them.
- Don't use "security questions" with real answers. "Mother's maiden name" is public record. Use random strings stored in your password manager.
- Don't trust "password strength meters" on signup forms. Most are heuristic-based and overestimate strength. Trust the entropy calculation, not the green bar.
Summary — Practical Recommendations for 2026
- Use a password manager. Generate a unique 16+ character random password for every account.
- For master passwords you must memorize, use a 6-7 word diceware passphrase (~80 bits entropy).
- Enable 2FA everywhere. Use hardware keys for high-value accounts, authenticator apps for the rest.
- Aim for 80+ bits of entropy for offline-attackable passwords (disk encryption, password manager master).
- Aim for 60+ bits of entropy for online accounts with rate-limited logins.
- Check your passwords against Have I Been Pwned periodically.
For generating strong random passwords right now, use our Password Generator — it gives you real-time entropy calculations, character-type controls, and a local-only entropy strength meter that shows you exactly how long your password would take to crack against modern hardware.