How to Generate Secure Passwords in 2026

The old rules were wrong

For years, every password policy looked the same: at least 8 characters, one uppercase, one lowercase, one number, one special character. Change it every 90 days. You know the drill.

The problem? It didn't work. People responded exactly how you'd expect — they picked Password1! and then changed it to Password2! next quarter. Attackers figured this out a long time ago.

NIST finally made it official. In their SP 800-63B Revision 4 (released August 2024, with the old version withdrawn in August 2025), they flipped the script: no more forced complexity rules, no more mandatory password rotation. Length wins. Everything else is secondary.

Length beats complexity, every time

Here's the math that matters. A password cracker running through 10 billion guesses per second (realistic for offline attacks against fast hashes) will crack an 8-character password with mixed complexity in under a day. A 16-character password using just lowercase letters? That takes over 10 million years.

The takeaway is simple: longer passwords are exponentially harder to crack. A 20-character passphrase made of random words — something like marble-cabinet-fossil-thunder — is both stronger and easier to remember than Tr0ub4dor&3.

This isn't new insight. Randall Munroe made this point in his famous xkcd comic back in 2011. It just took the standards bodies a while to catch up.

What NIST actually recommends now

The updated guidelines boil down to a few key changes:

Minimum 15 characters, support up to 64. NIST now recommends a minimum of 15 characters for passwords (up from 8). And systems should accept passwords up to at least 64 characters. If your password field maxes out at 20, that's a red flag about the system's security posture.

No composition rules. Systems "shall not" (their words — that's a mandate, not a suggestion) require specific character types. No forced uppercase, no mandatory special characters. These rules push people toward predictable patterns.

No periodic rotation. Stop forcing password changes on a schedule. Only require a new password when there's actual evidence of compromise. Scheduled resets cause more harm than good.

Screen against breached passwords. Every new password should be checked against databases of known compromised credentials. If someone tries to set their password to qwerty123, the system should reject it — not because of a complexity rule, but because that exact string has appeared in hundreds of data breaches.

No password hints or knowledge-based recovery. "What's your mother's maiden name?" is a security liability, not a security measure. That information is too easy to find on social media.

How to actually generate a good password

Knowing the principles is one thing. Putting them into practice is another. Here's what I actually recommend:

For accounts you type frequently (like your laptop login), use a passphrase. Four or five random words, separated by hyphens or spaces. Something like oyster-blank-river-maple-tone. It's long, it's random, and you can actually type it without wanting to throw your keyboard.

For everything else, let a generator handle it. You're not going to type your Netflix password from memory anyway — it'll come from your password manager's autofill. So make it 24+ characters of pure random noise: k8$mP2vL!nQ9xR4wJ7bF3yA6. No human needs to memorize that.

For throwaway accounts, you still want something unique. Reusing passwords is the single biggest risk most people face. When one site gets breached (and they do, constantly), attackers try those credentials everywhere else. A password generator makes this trivial — generate, paste, forget.

What makes a password generator trustworthy?

Not all generators are equal. A few things to look for:

It should run client-side. Your password should never leave your browser. If a generator is sending your password to a server to "create" it, that's a problem. Our password generator runs entirely in your browser — nothing gets transmitted.

It should use cryptographically secure randomness. JavaScript's Math.random() is not good enough. Proper generators use the Web Crypto API (crypto.getRandomValues()), which pulls from the operating system's entropy pool. This is the difference between "random enough for a dice game" and "random enough to protect your bank account."

It should let you control the output. Sometimes you need a 12-character password because a legacy system won't accept more. Sometimes you want only alphanumeric characters because a particular input field breaks on special characters (frustrating, but it happens). A good generator gives you knobs to adjust.

Passphrases vs random strings

I keep coming back to this because it's the most practical decision you'll make.

Passphrases — random word combinations — are great when you need to type the password. They're also great when you need to read it to someone over the phone (imagine reading out k8$mP2vL! versus marble cabinet fossil).

Random character strings are better when a machine handles the password for you. They pack more entropy per character, so you can get the same security in fewer characters.

For perspective: a 4-word passphrase drawn from a 7,776-word list (like Diceware) gives you about 51 bits of entropy. A 16-character random string using uppercase, lowercase, digits, and symbols gives you about 105 bits. Both are strong enough for most purposes, but they solve different problems.

Common mistakes that still trip people up

Reusing passwords across sites. I already mentioned this, but it's worth repeating because it's the number-one way accounts get compromised. The Have I Been Pwned database has over 14 billion breached credentials. If you're reusing passwords, you're betting that none of your accounts were in any of those breaches.

Substituting letters with numbers. Swapping a for @ or e for 3 feels clever, but cracking tools have been doing this automatically for over a decade. P@ssw0rd is not meaningfully harder to crack than Password.

Using personal information. Your dog's name, your birthday, your street address — all of this is findable. Social engineering and OSINT tools make short work of "personal" passwords.

Storing passwords in plain text. A sticky note on your monitor. A passwords.txt file on your desktop. A note in your phone with no encryption. If someone gets access to that, they get everything.

Use a password manager

I'll be direct: if you're not using a password manager in 2026, you're making your life harder and less secure. Tools like Bitwarden (open source), 1Password, or even the built-in managers in Chrome and Safari handle the hard part. They generate strong passwords, store them encrypted, and autofill them when you need them.

The only password you need to memorize is your master password. Make it a long passphrase. Write it down and keep it somewhere physically secure if you have to — that's still better than reusing Summer2024! everywhere.

Wrapping up

Password security got simpler, not harder. Use long passwords, don't reuse them, and let tools do the generating and remembering. If you need a quick password right now, our password generator runs in your browser and gives you full control over length, character types, and format.