How to pick a strong password (and the four rules everyone gets wrong)

Most password advice is wrong, or at least out of date. The 2003 NIST guidelines (uppercase + lowercase + number + symbol, rotate every 90 days) made sense given the threat model of the time and the cost of authentication primitives. Both have changed. Modern password security comes down to four rules, in priority order.

Rule 1: Length beats complexity

Entropy — the actual measure of how hard a password is to brute-force — is length × log₂(charset). Three combinations producing roughly 80 bits:

• 16 random lowercase letters: 16 × log₂(26) ≈ 75 bits
• 12 random chars from a 70-symbol alphabet: 12 × log₂(70) ≈ 74 bits
• 6 random words from a 7,776-word list: 6 × log₂(7776) ≈ 77 bits

At 80 bits, brute-forcing at one trillion attempts per second takes ~38,000 years. That’s the floor for “not worth trying.” To get there: extend the length, not the character classes. kjY8 has 23 bits; kjY8kjY8kjY8 at 12 chars has 69; same input complexity, vastly stronger.

Rule 2: Unique per account

The single biggest risk to your accounts is credential stuffing — attackers taking usernames and password hashes from a breach (a B-list site you used in 2015), cracking them offline, then trying the result on every major service. If you reuse the same password across services, one breach compromises all of them.

Unique-per-account passwords make this attack class irrelevant. The only practical way to maintain dozens of unique strong passwords is a password manager (1Password, Bitwarden, Apple Keychain, etc.). Use one.

Rule 3: Cryptographically random, not human-chosen

Human-chosen passwords cluster. We pick birth years, keyboard patterns, dictionary words, anagrams, names. Even when told to be random, humans aren’t.

Cryptographic randomness avoids this entirely. Our password generator uses crypto.getRandomValues with rejection sampling to produce uniformly random passwords from any charset. Generated 20-character outputs give ~131 bits of entropy in the full alphabet — past the useful upper bound for any threat model not involving quantum computers.

Rule 4: Two-factor where supported

Two-factor authentication (a code from your phone, a hardware key, a passkey) defeats password compromise even when the password itself is weak or reused. Modern phishing attacks have become good enough at capturing one-time codes that the bar has risen — but a strong password plus any 2FA is still vastly safer than a strong password alone.

Use hardware keys (FIDO2 / WebAuthn) where possible, TOTP apps (Authy, 1Password, Aegis) where hardware keys aren’t supported, SMS only as a last resort. SMS 2FA is better than no 2FA but worse than the alternatives — SIM-swap attacks are real.

The xkcd passphrase question

Randall Munroe’s xkcd 936popularised the four-random-words passphrase. It’s a good idea with two caveats:

• Words must be drawn from a large list.A 7,776-word list (the EFF’s Diceware) gives ~13 bits per word. A 2,000-word list gives ~11. Common English vocabulary (10,000 words an educated adult might pick) gives even less because humans don’t pick uniformly.
• The whole passphrase must be random. “Correct horse battery staple” itself is now in every password-cracking dictionary. The example was good when it was an example.

The four most common failure modes

1. Reused across sites. One breach takes them all.
2. Pattern-based. “[Site]2024!” — automated tools catch these immediately.
3. Personal info. Birthdays, pet names, schools — all available on social media or in databases.
4. Too short. Below ~50 bits of entropy is brute-forceable in a reasonable budget.

The pragmatic strategy

For every account:

1. Use our password generator at 20+ characters with all classes enabled.
2. Save it in your password manager.
3. Enable hardware-key or TOTP 2FA on accounts that support it.
4. Never reuse a password between accounts.
5. For the few passwords you must remember (your password manager’s master, your phone PIN), use a 6+ word random passphrase.

Don’t change passwords on a schedule. Change them when a breach is reported on a site you use, or when you have any other concrete reason to suspect compromise.

Walkthrough: building a 6-word Diceware passphrase

For a password-manager master that you need to memorise:

1. Roll 5 physical dice 6 times (or use a cryptographic RNG mapped to the same range). Each 5-digit result indexes the EFF long wordlist of 7,776 words.
2. Example output: 61244 14516 32153 53121 25634 41213→ “tuna corner herd ranch glow oxford”.
3. Entropy calculation: 6 × log₂(7776) ≈ 77.5 bits.
4. Cracking cost: at the public benchmark of ~1 trillion guesses/sec on a high-end GPU farm (Hashcat on RTX 4090 cluster), 2⁷⁷·⁵ guesses takes ~6 million years. The cost is the cluster + the energy bill; neither is worth your password manager.
5. Do not modify it after generation.Capitalising one letter or adding a digit “for policy” doesn’t meaningfully raise entropy and makes it harder to remember.

Common mistakes

• Reusing the password manager master elsewhere.The master must be unique. If it leaks, every credential in the vault is exposed.
• Storing the master in cloud notes.Notes apps without zero-knowledge encryption (Apple Notes synced via iCloud, Google Keep, OneNote) are searchable by anyone with your provider login. Use a physical recovery card stored in a safe instead.
• Using “memorable” substitutions likeP@ssw0rd!.Cracking dictionaries enumerate every common leetspeak variant. The entropy is the same as “Password” — about 16 bits.
• Picking SMS 2FA when TOTP is available.SIM swap attacks (FBI IC3 reports ~1,600 cases in 2023 with $68M in losses) defeat SMS. TOTP and especially passkeys are immune.
• Treating “recovery questions” as honest data.“Mother’s maiden name” is in your relatives’ obituaries online. Treat recovery answers as additional passwords — random strings stored in your manager.
• Generating in an insecure environment.Random-password websites that aren’t client-side may log the output. Use a generator that runs in your browser only — like ours, which uses crypto.getRandomValues and never transmits the result.

When the standard rules don’t apply

• Encryption keys (LUKS, FileVault, BitLocker).These resist brute force only as well as the password. Use 8+ Diceware words for full-disk-encryption passphrases; there’s no rate-limiting at the boot loader.
• Shared service accounts. Multi-person access defeats personal password hygiene. Use a secrets manager with per-user audit logging (Vault, 1Password Teams) instead of a shared password.
• Legacy systems that cap password length at 12.Older banking and government portals still exist. Use the longest password they allow, all character classes, never reuse, and lobby the vendor to fix the limit.
• Passkey-supporting accounts. Per FIDO Alliance guidance, replace the password entirely once a passkey is enrolled. The password becomes a fallback only. Apple, Google, Microsoft, and major banks now support passkeys.
• Children’s accounts. A 6-word passphrase is too hard. Use a parent-managed password stored in the family password manager; teach the child to recognise phishing instead.