Strong Password Guide: How to Create Secure Passwords
Password security advice has changed significantly. Here's what actually makes a password strong in 2025 — based on current NIST guidelines and real-world attack data.
Advertisement
The 'password complexity' advice of the 2000s — uppercase, lowercase, number, symbol, changed every 90 days — turned out to produce predictably weak passwords. Users created Password1! and cycled through Password2!, Password3!. The US NIST completely updated its guidelines in 2024-2025. Here's what actually works.
What Actually Makes a Password Strong?
Password strength is fundamentally about entropy — the number of possible combinations an attacker has to try. Entropy is determined by: the length of the password and the size of the character set. A 20-character password using only lowercase letters (26^20 combinations) is stronger than a 10-character password using all character types (95^10 combinations).
Length beats complexity
A 20-character all-lowercase password has 26^20 ≈ 1.99 × 10^28 combinations. A 10-character complex password (all character types) has 95^10 ≈ 5.99 × 10^19 combinations. The longer password is over 300 million times harder to brute-force.
NIST 2025 Password Guidelines
- Minimum 8 characters; recommend 15+ for user-created passwords
- Allow all printable ASCII and Unicode characters — don't block special characters
- Do NOT require regular password rotation — it leads to weak incremental changes
- Do NOT require complexity rules (uppercase/number/symbol mandatory) — they backfire
- DO check passwords against breach databases (Have I Been Pwned API)
- DO allow paste in password fields — blocking it undermines password manager use
- DO support passwords up to at least 64 characters
Passphrases: Better Than Complex Passwords
A passphrase like 'correct-horse-battery-staple' is both easier to remember and harder to crack than 'Tr0ub4dor&3'. Four random common words provide ~44 bits of entropy — comparable to a random 8-character complex password — but are far easier to type and remember. Use 5-6 random words for a passphrase with ~55–66 bits of entropy, which is secure for most purposes.
Password Managers: The Right Solution
The ideal password security model: use a password manager to generate a unique, random, 20+ character password for every account. You remember one strong master password; the manager handles everything else. This eliminates password reuse (the most common cause of account takeovers) and allows using maximum-length random passwords everywhere without memory burden.
Multi-Factor Authentication
MFA (Multi-Factor Authentication) adds a second verification step beyond the password — typically a time-based one-time code (TOTP) from an authenticator app or a hardware security key. Even if an attacker has your password, they cannot access the account without the second factor. Enable MFA on all accounts that support it, especially email and financial services.
Have Your Passwords Been Breached?
Have I Been Pwned (haveibeenpwned.com) lets you check if your email or password has appeared in known data breaches. Our Password Strength Checker includes an offline check against the most common breached passwords without transmitting your password anywhere.
Generate a secure password
Cryptographically random passwords — generated in your browser, never transmitted.
Frequently Asked Questions
How often should I change my passwords?
According to NIST 2025 guidelines, change passwords only when you have reason to believe they have been compromised — not on an arbitrary schedule. Regular forced rotation leads to users making predictable incremental changes (adding a number to the end), which actually reduces security.
Is it safe to save passwords in my browser?
Browser password managers are convenient and significantly better than password reuse or weak passwords. For higher security, dedicated password managers (1Password, Bitwarden, Dashlane) offer stronger encryption, cross-device sync, breach monitoring, and emergency access features.
What is the minimum password length I should use?
NIST recommends at minimum 8 characters for user-chosen passwords, but for actual security consider 15+ characters. For randomly generated passwords from a password manager, use 20+ characters — the extra length has no memorability cost and dramatically increases security.