How long should a password be in 2026?

Security experts now recommend at least 12 to 16 characters for everyday accounts, and 20 or more for critical ones. Length matters far more than adding symbols.

Is length or complexity more important?

Length. A long password is exponentially harder to crack than a short one full of symbols. Modern guidance from NIST prioritises length over forced complexity rules.

Should I change my passwords regularly?

No. Updated guidance says you should only change a password when there is evidence it has been compromised, not on a fixed schedule, because forced changes lead to weaker passwords.

How to Create a Strong Password in 2026 (What the Experts Now Say)

A practical guide · about 7 min read

For years we were all taught the same password rules: mix in capital letters, numbers, and symbols, and change your password every few months. It turns out most of that advice was wrong, and the experts have officially changed their minds. The latest guidance from the US National Institute of Standards and Technology (NIST), which sets the standard the whole industry follows, has flipped the old rules on their head. Here is what actually keeps your accounts safe in 2026, in plain language.

The biggest change: length beats complexity

This is the single most important shift. For decades the focus was on complexity, forcing symbols and mixed case into every password. The new thinking is clear: a long password is far stronger than a short, complicated one.

The reason is simple maths. Every extra character multiplies the number of possible combinations an attacker has to try. A long password made only of lowercase letters can take centuries to crack by brute force, while a short password stuffed with symbols can fall in hours. As one security analysis put it, a 20-character password is astronomically harder to break than an 8-character one, and it is usually easier to remember too.

How long should a password be?

The current recommendations point to these targets:

Minimum: 12 characters for any account
Recommended: 16 characters for everyday accounts
Critical accounts (email, banking): 20 or more characters

NIST now treats length as the cornerstone of a strong password. The old eight-character minimum is considered the bare floor, not a goal. If you take one thing from this article, let it be this: make your passwords longer.

The power of passphrases

Long does not have to mean impossible to remember. This is where passphrases come in: several random words strung together. A phrase like "correct horse battery staple" is long, easy to recall, and far stronger than a tortured string like "P@ssw0rd!" that follows a predictable pattern. Pick a few unrelated words, and you have a password that is both memorable and tough to crack.

What no longer matters as much

Two old rules have officially been dropped:

Forced character rules. You no longer need to cram in a symbol, a number, and a capital letter. These rules pushed people toward predictable patterns like capitalising the first letter and adding a "1" at the end, which attackers expect.
Scheduled password changes. Changing your password every 60 or 90 days is no longer advised. Forced resets just lead people to make tiny, weak tweaks. The new rule: only change a password when there is real evidence it has been exposed in a breach.

The habits that matter most

Beyond a single strong password, these practices protect you the most, in order of importance:

Use a unique password for every account. If one site is breached, reused passwords let attackers into everything else. This is the most common way accounts get hijacked.
Make it long. Aim for 16 characters or more, as above.
Make it random. Humans are bad at being random; we fall into patterns. A password generator does it properly.
Check it has not been breached. Even a strong password is useless if it has leaked. Good password managers check this for you automatically.

Use a password manager

Here is the honest truth: nobody can remember a long, unique, random password for dozens of accounts. The solution the experts recommend is a password manager, a secure app that generates and stores all your passwords. You only need to remember one strong master passphrase; the manager handles the rest. NIST's emphasis on length and uniqueness is exactly why these tools have become essential.

Generate a strong password now

The fastest way to get a long, random password is to let a tool build one for you. Our free Password Generator creates a strong, random password right in your browser, so it is never sent anywhere. Choose your length, decide whether to include numbers and symbols, and generate. Pair it with a password manager and a unique password for each account, and you are following the best advice available in 2026.

Frequently asked questions

How long should a password be?: At least 12 characters, ideally 16 or more, and 20-plus for important accounts like email and banking.
Are symbols and capital letters still needed?: They help a little, but length matters far more. A long passphrase beats a short, symbol-heavy password.
Should I change passwords every few months?: No. Only change a password if there is evidence it has been compromised. Scheduled changes tend to make passwords weaker.
Is it safe to store passwords in a password manager?: Yes. Reputable password managers use strong encryption and are far safer than reusing or writing down passwords.

← Back to all guides