For years, IT departments everywhere told us the same thing: make your password at least 8 characters, include a capital letter, a number, and a special symbol, and change it every 90 days. It felt rigorous. It was largely useless.
The US National Institute of Standards and Technology (NIST) quietly revised its guidance in 2017 and more explicitly in 2024, walking back most of those recommendations. Here's what actually matters now.
Length Beats Complexity
A 6-character password with every trick in the book — uppercase, symbols, numbers — can be cracked faster than a 20-character string of random lowercase letters. Length is the dominant factor in password strength, not complexity.
This is because attackers use automated tools that try millions of combinations per second. Every additional character multiplies the search space exponentially. A 20-character password is not twice as hard to crack as a 10-character one — it's astronomically harder.
The rule: Aim for at least 16 characters. Longer is better.
Passphrases Are Underrated
Four random words strung together — like "purple-anvil-forest-lamp" — are both more secure than most complex passwords and far easier to remember. This approach, popularized by the comic xkcd and validated by NIST, gives you length, some randomness, and memorability.
The key word is random. "ilovemydog2015" is a phrase but not a random one — it draws on personally meaningful information that can be guessed or found on social media.
Stop Changing Passwords Regularly (Unless Compromised)
NIST's updated guidelines explicitly state that mandatory periodic password changes are counterproductive. When people are forced to change passwords every 90 days, they predictably do the minimum: "Password1!" becomes "Password2!" Research consistently shows this makes passwords weaker, not stronger.
Change your password when: there's evidence of a breach, you suspect someone saw it, or you used it on a site that was hacked. Not on a calendar schedule.
Unique Passwords for Every Account
This is the rule most people break — and the one that matters most in practice. The most common way accounts get compromised isn't someone cracking your specific password; it's credential stuffing, where attackers take leaked username/password pairs from one breach and try them on other sites.
If you reuse a password and any site that uses it gets breached, every account sharing that password is compromised. One breach becomes ten.
Use a Password Manager
The only realistic way to have a unique, long, random password for every account is to use a password manager. You remember one strong master password; the manager handles the rest. Reputable options include Bitwarden (open source, free), 1Password, and Dashlane.
Our Password Generator creates strong random passwords instantly — paste them directly into your password manager.
Enable Two-Factor Authentication
Even a perfect password can be phished or leaked. Two-factor authentication (2FA) means an attacker also needs physical access to your phone or authenticator app. Enable it on every account that offers it, prioritizing email, banking, and social media.
The Short Version
- Use long passwords (16+ characters)
- Make them random — passphrases or generated strings
- Use a different password for every account
- Use a password manager
- Enable 2FA everywhere possible
- Only change passwords when there's a reason to