Strong Passwords in 2026: Length, Entropy, and What Actually Keeps Accounts Safe
The advice on what makes a password strong has changed substantially in the past decade. Forget complex character soup with a number and a special — what matters today is length, true randomness, and never reusing a password between sites. This guide explains why, and how to use a generator without sabotaging yourself.
For decades, password rules looked the same: at least eight characters, one uppercase, one lowercase, one number, one symbol. The result was predictable — most people picked something like Password1! and called it a day. NIST (the US standards body) revised its guidance in 2017 and again in 2024 to acknowledge what security researchers had been saying for years: those rules made passwords harder for humans to remember without making them meaningfully harder to crack.
The new consensus is straightforward. Length beats character variety. Randomness beats cleverness. A password manager beats memory. And the single most important security practice — bigger than any password rule — is using a different password for every site. The easiest way to do that is with a generator that produces cryptographically random strings.
The vocabulary you need
- Entropy
- A measure of how unpredictable a password is, expressed in bits. Each bit doubles the average number of guesses an attacker needs. 60 bits is reasonable, 80 bits is strong, 100+ bits is overkill for any non-state actor.
- Brute force attack
- An attacker tries every possible password in some search space. Modern GPUs can test billions of guesses per second against a fast hash, so short passwords fall in seconds.
- Dictionary attack
- An attacker tries words from a wordlist instead of every possible string. Defeats almost every password built from real words plus a few digits, no matter how long.
- Credential stuffing
- An attacker takes a password leaked from one site and tries it on every other site you might have an account on. The reason password reuse is the single most dangerous habit in security today.
- Hashing
- How sites store your password. A good site uses a slow hash (bcrypt, scrypt, Argon2) that is hard to brute force even with leaked data. A bad site uses MD5 and your password is recoverable in milliseconds if their database leaks.
How long does a password need to be?
Approximate time to brute force a fully random password against a fast modern hash (10 billion guesses per second). Most real-world hashes are slower, so these are worst-case figures.
| Length | Lowercase only | Mixed case + digits + symbols |
|---|---|---|
| 8 chars | Under 1 second | ~1 hour |
| 10 chars | ~6 hours | ~30 years |
| 12 chars | ~600 years | ~3 million years |
| 14 chars | ~430,000 years | Effectively unbreakable |
| 16 chars | Effectively unbreakable | Effectively unbreakable |
Length vs character variety
Both length and the size of the character set affect entropy, but length has a more dramatic effect because each additional character multiplies the search space, while expanding the character set only widens it. Going from 8 to 12 random lowercase characters increases entropy by ~19 bits — a factor of 500,000. Going from lowercase to mixed case at 8 characters only adds ~8 bits, a factor of 256.
This is why current best practice is to favor longer random passwords (16+ characters) over shorter ones full of special characters. A 16-character lowercase password is more secure than a 10-character mixed-case-and-symbols one, and it is easier to type on a phone keyboard.
Passphrases: an underrated alternative
A passphrase is four to seven random words from a large dictionary, separated by spaces or hyphens. They are dramatically easier to remember than character soup and provide enough entropy for almost any threat model:
- •Four random words from a 7,776-word list (the standard EFF list) → ~52 bits of entropy. Strong enough for most personal accounts.
- •Six random words → ~77 bits. Strong enough for high-value accounts (email, bank, password manager master password).
- •Seven words → ~90 bits. Effectively unbreakable.
- •The words must be chosen with a real source of randomness — dice or a generator. 'Words from a poem you like' is just a dictionary attack waiting to happen.
How to actually use a password generator without losing your mind
- 1
Pick a password manager first
1Password, Bitwarden, KeePass, and Apple's iCloud Keychain are all good. The manager is what makes random 16-character passwords usable — you never type them, you let it autofill.
- 2
Generate one random master password (passphrase) for the manager
Use a 6-7 word passphrase. This is the only password you'll memorize. Write it down on paper and keep it somewhere safe until it's burned into your memory.
- 3
Generate unique random passwords for every other site
16+ characters, mixed case, digits, symbols. Let the generator do all the work. Save each one to the manager as you create it.
- 4
Turn on two-factor authentication where available
Even if a password leaks, an attacker still needs your second factor. App-based codes (Authy, Google Authenticator) or hardware keys (YubiKey) are far stronger than SMS-based 2FA.
- 5
Replace any reused or breached passwords first
Run your account list through haveibeenpwned.com. Any password that has appeared in a breach must be changed immediately, regardless of how long ago.
Extended FAQ
Is the password I generate here sent to a server?
No. EllyTools' generator runs entirely in your browser using the cryptographically secure crypto.getRandomValues API. The password never leaves your device, and we never see it.
How often should I change my passwords?
Modern guidance — including from NIST — is that you should change passwords only when you have reason to believe they have been compromised. Mandatory periodic changes lead to weaker passwords (people just increment a number) without improving security.
Are password managers a single point of failure?
Yes, and that is the point — a single very strong, well-protected vault is dramatically safer than dozens of weak, reused passwords scattered across your brain and browsers. Treat the master password and the recovery key with appropriate care.
What if a site limits passwords to 12 characters or no symbols?
That is a sign of a poorly secured site, but you can still make the most of what you are allowed. Generate the maximum allowed length using whatever character set is permitted, and be aware that this account is more vulnerable than your others.
Are biometric logins better than passwords?
Biometrics (Face ID, Touch ID) are convenient and improve usability, but they typically unlock a stored credential rather than replace it. The underlying password still exists and still needs to be strong. Use both — biometrics for convenience, a strong unique password underneath.