The password advice most people follow was written in 2003 and has been officially retracted by its own author. Here is what the research actually says about strong passwords, and how to create ones that hold up against modern attacks.
The Biggest Myth: Complexity Over Length
For decades, password policies demanded things like P@ssw0rd! — a familiar word with letter substitutions. This feels complex but is actually easy to crack. Attackers know every substitution pattern. Their tools automatically try variations like p@ssword, passw0rd, and p4ssword as part of standard dictionary attacks.
The NIST (the US government body that defines security standards) updated their password guidelines in 2017 and again in 2024. Their conclusion: length matters far more than complexity. A long password with only lowercase letters is stronger than a short password with every character type.
Here is why. Modern graphics cards can test billions of password guesses per second against stolen password databases. The size of the search space grows exponentially with length. Adding one character to a 12-character password makes it roughly 90 times harder to crack. Adding a capital letter to an 8-character password makes it only 2 times harder.
What Actually Makes a Password Strong
Length (most important)
Each additional character multiplies the search space exponentially. The difference between a 10-character and a 16-character password is not 6 characters. It is roughly 281 trillion times harder to crack by brute force. Aim for at least 16 characters for anything important: email accounts, banking, cloud storage, and any account linked to payment methods.
For lower-stakes accounts, 12 characters is a reasonable minimum. For anything connected to your identity or money, go longer.
Randomness (second most important)
Humans are bad at generating randomness. We unconsciously avoid certain combinations, favour letters that appear in our name or recent memories, and gravitate toward patterns that feel random but are not. A password you create yourself will almost always be weaker than one generated by a computer, even if they are the same length.
A cryptographically random password generator uses a secure random number generator to pick each character independently, with no patterns or preferences. The result is a password that cannot be predicted even if an attacker knows everything about you.
Uniqueness (non-negotiable)
Reusing passwords across accounts is the single most dangerous habit in personal security. When one service gets breached (and they do: hundreds of millions of credentials leak every year), attackers immediately try those credentials on other services in a technique called credential stuffing. One reused password can cascade into a complete takeover of your email, social media, and financial accounts.
Every account should have its own unique password. The only practical way to do this is a password manager.
The Three Approaches That Work
Random generated passwords with a password manager
Generate a random 20-character password for every account and store them all in a password manager. Good options include 1Password, Bitwarden (free and open source), and the built-in password managers in Safari, Chrome, and Firefox. You only need to remember one master password. This is the gold standard approach and the one security professionals use themselves.
Passphrases
Four or more random common words strung together, for example: marble-clock-forest-seven. Long, surprisingly memorable, and strong enough for most purposes. The critical word is random. Do not choose words that relate to you, your interests, or your location. Use a dice roll or a random word generator to pick them. A passphrase built from truly random words is mathematically strong even though it looks simple.
Two-factor authentication
Even a mediocre password becomes dramatically more secure with two-factor authentication (2FA). A leaked password is useless to an attacker if they also need your phone or your hardware key to log in. Enable 2FA on your email account first. Then your banking and financial accounts. Then everything else. Authenticator apps like Authy or Google Authenticator are more secure than SMS codes, though SMS 2FA is still far better than nothing.
What to Avoid
- Your name, birthday, or any information visible on your social media profiles
- Dictionary words with simple substitutions: 3 for e, @ for a, 0 for o
- Keyboard patterns: qwerty, 123456, asdfgh
- Any password shorter than 12 characters for accounts you care about
- The same password on more than one site
- Anything a close friend or family member could guess about you
How Often Should You Change Passwords?
The old advice was to change passwords every 90 days. NIST now explicitly recommends against mandatory periodic changes, because forcing frequent changes leads people to make predictable modifications (Summer2024 becomes Summer2025) rather than genuinely new passwords.
The current guidance: change a password when you have reason to believe it may have been compromised, when a service you use reports a breach, or when you discover you have been reusing it. Otherwise, a strong unique password does not need to be changed on a schedule.
Generate a Strong Password Now
Use DevHive's free password generator to create a cryptographically random password of any length, with full control over which character types to include. No account required, nothing saved or logged.