A practical guide to making passwords that resist modern attacks without forcing you to memorize random strings of symbols.
Most password advice hasn't caught up with how attacks actually happen in 2026. The classic "8 characters with a capital and a number" rule is decades old, and it leads people to create passwords like "Password1!" — which is trivial for modern cracking tools to guess.
Here is what actually matters, based on current guidance from NIST and leading security researchers, and how to make passwords you can remember without writing them on a sticky note.
A 20-character phrase made of common words is harder to crack than an 8-character string of symbols. Modern password crackers try billions of combinations per second, so every extra character roughly doubles the effort.
Aim for at least 16 characters on important accounts. For anything financial or identity-related, go for 20 or more.
Pick four or five unrelated words and link them together with punctuation or numbers. The classic example: "correct horse battery staple" — famously illustrated in an xkcd comic. It is long, memorable, and contains no personal information that can be guessed.
Tweak the method for your own taste:
Passphrases work well for accounts you type manually. For everything else — every website, every service — you should be using a password manager with a generator. You never see or type the password; the manager fills it in.
The single most important rule in 2026 is that every account gets its own password. Data breaches happen constantly. When one site leaks, attackers automatically try the leaked email/password combination against hundreds of other sites. This attack is called credential stuffing, and it is the reason why even careful people lose accounts.
Even a perfect password can leak through phishing or a breach on the service side. Two-factor authentication (2FA) means that a password alone is not enough — an attacker also needs a code from your phone. Enable it on email, banking, social media, and cloud storage first.
Use an authenticator app (like the ones built into modern phones or Authy) rather than SMS where possible. SIM swap attacks have made SMS-based 2FA unreliable for high-value accounts.
Modern password security comes down to three habits: make them long, never reuse them, and turn on 2FA. A password manager handles the rest. If you only change one thing after reading this, replace the shared password you use on multiple sites with a unique one on each — that single move stops the most common account takeover in the world.