Strong Password Best Practices in 2026: What Actually Matters Now

For years we were told to mix uppercase, lowercase, numbers and symbols, change passwords every 90 days, and never write them down. Modern guidance from the US National Institute of Standards and Technology (NIST) and major security firms has actually flipped most of that advice. Here's what really matters in 2026.

Length beats complexity

A 16-character password made of random letters is mathematically harder to crack than an 8-character password with symbols. NIST now explicitly recommends a minimum of 8 characters, but suggests 16+ for anything important. Aim for 20 if you can stomach it.

Stop changing passwords on a schedule

Forced 90-day rotations push people to choose weaker, more predictable passwords (Spring2026!, then Summer2026!). The new guidance: only change a password when there's evidence it was compromised.

Use a password manager — seriously, all of you

Reusing passwords is the single biggest risk factor for account breaches. A password manager generates and stores a unique strong password for every site, so a leak at one company can't cascade into all your accounts.

Turn on two-factor authentication everywhere

Even if your password leaks, a second factor (app code, hardware key, passkey) stops attackers cold. Prefer authenticator apps over SMS where possible — SMS can be intercepted.

What makes a password genuinely strong

• At least 16 characters
• Mix of upper, lower, digits and symbols (still helps with length)
• Not a dictionary word or common phrase
• Not based on personal info (birthday, pet name, address)
• Unique to each site

FAQ