In 2026 a password should be at least 15 characters long, and longer for anything sensitive. Modern guidance from NIST treats length as the most important factor, ahead of forced symbols and mixed case. Aim for 15 to 20 characters or a four-to-five word passphrase to get the entropy that defeats brute-force attacks.
For years the rules were "use 8 characters with an uppercase, a number, and a symbol." That advice is outdated and, in places, actively counterproductive. The current consensus from security researchers and the US National Institute of Standards and Technology (NIST) is simpler and stronger: make it long. This guide explains why length beats complexity, the entropy targets worth hitting, and roughly how long different passwords take to crack.
How Long Should a Password Be? The Short Answer#
The practical floor in 2026 is 15 characters. NIST's current digital identity guidelines recommend that systems allow passwords of at least 64 characters and verify a minimum of 8, but security teams widely treat 15 as the real-world minimum for a strong password, because each extra character multiplies the work an attacker must do.
Here is the tiered way to think about it:
- Minimum acceptable: 12 characters. Workable, but increasingly the low end.
- Strong default: 15 to 16 characters for everyday accounts.
- Sensitive accounts: 20+ characters for email, banking, password manager, and admin logins. These are the keys to everything else.
The reason length wins is mechanical, not a matter of opinion. Every character you add multiplies the number of possible combinations an attacker has to test. We will quantify that next with entropy.
Why Length Beats Complexity#
The old rule pushed complexity: cram in a capital, a digit, and a symbol. The problem is that humans satisfy those rules in predictable ways. "Password" becomes "Password1!" The forced symbol adds almost nothing because attackers know the patterns, and worse, complexity rules push people toward short, hard-to-remember strings they then reuse everywhere.
NIST explicitly reversed course on this. Current guidance says to stop forcing arbitrary composition rules (no mandatory mix of character types) and stop forcing periodic password changes unless there is evidence of compromise. Both old habits made passwords harder for humans without making them meaningfully harder for computers.
Length does the opposite. A long passphrase like correct-horse-battery-staple is easy for you to remember and brutal for a machine to guess, because its strength comes from the sheer number of combinations, not from a $ you will forget you added.
The shift in one sentence: a memorable 16-character passphrase beats a cryptic 8-character string on every axis that matters, security and usability both.
Entropy: The Number That Actually Measures Strength#
"Strength" sounds vague until you put a number on it. That number is entropy, measured in bits. Entropy estimates how unpredictable a password is, and it doubles with every additional bit. The formula for a randomly generated password is:
Entropy (bits) = length x log2(size of character pool)
The character pool is how many symbols each position could be:
- lowercase only: 26
- lowercase + uppercase + digits: 62
- adding common symbols: about 95
Plug in real values and the role of length jumps out:
| Password | Character pool | Entropy (bits) |
|---|---|---|
| 8 chars, letters + digits | 62 | ~48 bits |
| 12 chars, letters + digits | 62 | ~71 bits |
| 15 chars, letters + digits | 62 | ~89 bits |
| 16 chars, with symbols | 95 | ~105 bits |
| 4-word random passphrase | 7,776 words | ~52 bits |
| 5-word random passphrase | 7,776 words | ~65 bits |
The targets to aim for:
- 60+ bits: a reasonable floor for everyday accounts. A 12-character random alphanumeric password clears it.
- 80+ bits: comfortably strong. A 15-character random alphanumeric password lands here.
- 128 bits: the gold standard for high-value secrets, the kind of entropy used in cryptographic keys. A 20-character mixed-pool password approaches it.
Notice the passphrase rows. A four-word random passphrase (the Diceware method, where words are chosen by dice or a secure random generator from a 7,776-word list) sits around 52 bits, and adding a fifth word pushes past 65. That is why a long passphrase is both memorable and strong, as long as the words are chosen randomly, not from a song lyric.
Password Length vs Crack Time#
Entropy is abstract, so here is what it means in wall-clock time. The figures below assume an offline attack against a fast, GPU-accelerated rig guessing on the order of 100 billion candidates per second, a realistic ceiling for cracking a leaked database of weakly-hashed passwords. (Online attacks against a live login are far slower because of rate limits.)
| Password | Entropy | Time to crack (fast offline attack) |
|---|---|---|
| 8 chars, letters + digits | ~48 bits | Minutes |
| 12 chars, letters + digits | ~71 bits | Centuries |
| 15 chars, letters + digits | ~89 bits | Millions of years |
| 16 chars, with symbols | ~105 bits | Effectively forever |
| 4-word random passphrase | ~52 bits | Hours |
| 5-word random passphrase | ~65 bits | Many years |
Read the jump from 8 to 15 characters. Adding seven characters takes the crack time from minutes to millions of years, against the same hardware. That is the entire argument for length in one row. An 8-character password, even a "complex" one, is no longer safe against an attacker who has your hashed password offline.
Two caveats keep this honest:
- These times assume a truly random password. A 15-character password built from a dictionary word plus a year is far weaker than its length implies, because attackers guess patterns first, not random strings.
- The numbers depend on how the site stored your password. A slow, salted hash (bcrypt, Argon2) makes attacks far slower than the fast-hash ceiling above. You do not control that, which is one more reason to bank on length.
You can see live entropy and crack-time estimates for any candidate with a free password strength checker, which is the fastest way to feel the difference between 8 and 16 characters.
How to Create a Strong Password in 2026#
You have two good options: a random string from a generator (best, paired with a password manager) or a random passphrase (best when you must memorize it). Here is the workflow either way.
Step 1: Pick length before anything else#
Decide the length first based on the account's value: 15 to 16 characters for ordinary logins, 20+ for your email, bank, and password manager. Length is the lever, so set it high and let the other choices follow.
Step 2: Generate it randomly, do not invent it#
Humans are terrible random number generators. We reach for names, dates, and keyboard patterns that attackers test first. Use a free password generator to produce a genuinely random string of your chosen length. For accounts you must type from memory, generate a multi-word passphrase instead, four words minimum, five for sensitive logins.
Step 3: Make every password unique#
Length only protects an account if the password is not reused. When one site is breached, attackers replay that exact email-and-password pair against banks, email, and shops, a tactic called credential stuffing. A unique password per site contains the damage to one account. This is impossible to do by memory at scale, which is the whole case for a password manager.
Step 4: Store them in a manager and turn on 2FA#
A password manager generates, stores, and autofills long unique passwords so you only memorize one strong master passphrase. Then add two-factor authentication (an authenticator app or hardware key, not SMS where avoidable) on your important accounts. Even a perfect password is stronger with a second factor behind it.
Step 5: Check your accounts against known breaches#
A long password does not help if it was already exposed in a past breach and is now on a wordlist. Check your email addresses against a service like Have I Been Pwned, and rotate any password that shows up. Going forward, only change passwords when there is a reason to, not on an arbitrary 90-day clock that NIST no longer recommends.
Passphrase vs Password: Which Should You Use?#
Both can be strong. The right choice depends on whether a machine or your brain has to remember it.
- Random character string (e.g.
7vQ!pL2m@Rk9zXw4): maximum entropy per character, ideal for anything your password manager fills in for you. You never type it, so it does not need to be memorable. - Random passphrase (e.g.
velvet-anchor-puzzle-cinder-flint): slightly lower entropy per character but far easier to memorize, ideal for the handful of secrets you must type by hand, like your password manager's master password or your laptop login.
The losing move is the middle ground: a short, "clever" password that is neither random enough to be strong nor long enough to compensate. Whichever style you choose, generate it with a free password generator rather than inventing it, so the result is genuinely random instead of a guessable human pattern. For more on building hard-to-crack credentials, see our guide on the password generator for hack-proof passwords, and if you also work with hashing, our hash generator covers the algorithm side.
Frequently Asked Questions#
How long should a password be in 2026? At least 15 characters for a strong everyday password, and 20 or more for sensitive accounts like email, banking, and your password manager. NIST treats length as the most important factor and no longer recommends forced complexity rules or routine password expiration.
Is a 12-character password still safe? A truly random 12-character password is workable, with roughly 71 bits of entropy that resists most attacks. But 15 characters is the safer default in 2026, because every extra character multiplies the attacker's work, taking crack time from centuries to millions of years against fast offline hardware.
Is length or complexity more important for a password? Length. Adding characters increases the number of possible combinations far faster than adding a single symbol does, and forced complexity rules push people toward short, predictable, reused passwords. A long random passphrase beats a short cryptic string on both security and memorability.
What is a passphrase and is it stronger than a password? A passphrase is several random words strung together, like four or five words chosen by the Diceware method. It can be very strong, around 52 bits for four words and 65-plus for five, while being far easier to remember than a random character string. Strength comes from the words being random, not from a familiar quote.
How is password strength actually measured? By entropy, in bits, calculated as length multiplied by the log base 2 of the character pool size. More bits means more unpredictability and a longer crack time. Aim for 60-plus bits for ordinary accounts and 128 bits for high-value secrets. A password strength checker shows the live estimate.
How long does it take to crack a password? It depends on length, randomness, and how the site stored it. Against a fast offline attack, an 8-character password falls in minutes, while a random 15-character one would take millions of years. Dictionary-based passwords fall far faster than their length suggests, because attackers test common patterns first.
