Security

How to create strong passwords in 2026 (and why length wins)

A practical, no-nonsense guide to passwords that hold up in 2026: length, passphrases, managers, 2FA, and passkeys.

Most password advice you read online is twenty years out of date. "Use a capital letter, a number and a symbol" was decent guidance in 2005. In 2026, with cheap GPUs cracking eight-character passwords in minutes, the rule has changed. Length is the rule.

Length beats complexity

A 16-character password made of lowercase letters is harder to crack than an 8-character password full of symbols. Each extra character roughly multiplies the time to guess by 26 (or more, if you mix cases). Each extra symbol class only multiplies it once.

Aim for at least 16 characters. 20 is better. 24 is excellent.

The ChrysoKit password generator defaults to 20 characters with mixed case, numbers and symbols. That is a good baseline.

Passphrases for the ones you need to remember

For the small handful of passwords you actually have to memorize (your password manager itself, your laptop, your email recovery), use a passphrase instead of a random string. Four or five unrelated words, separated by something:

velvet-canyon-rocket-pebble-fountain

That is far easier to remember than x9!Kp@2vQz#7Lm$3nR, and significantly harder to crack. The keys are: pick the words randomly (not from a sentence), and use at least four.

One password per site, no exceptions

Reusing passwords is the single biggest reason ordinary people get hacked. One leaked database hands attackers the keys to every account that shared its password. The fix is mechanical: use a different password for every site.

You cannot remember 200 unique 20-character strings. That is what password managers are for.

Use a password manager

A good password manager generates, stores and auto-fills credentials, and is protected by one strong master passphrase. Pick one of the well-reviewed options (1Password, Bitwarden, Proton Pass) and let it do the work. Your job becomes: remember one passphrase. The manager handles the rest.

Turn on 2FA everywhere

Two-factor authentication adds a second proof when you log in: a code from an authenticator app, a hardware key, or a passkey. It means that even if a password leaks, the attacker still cannot get in.

Prefer authenticator apps (Aegis, 2FAS, Authy) over SMS. SMS codes can be intercepted via SIM swap. Hardware keys (YubiKey, Google Titan) are the strongest option for accounts you really care about.

Save your backup codes. When you turn on 2FA, every service offers recovery codes. Save them in your password manager. People lock themselves out far more often than they get hacked.

Passkeys are the future

Passkeys replace passwords entirely. Instead of typing a string, you confirm a login with your device's biometric or PIN. There is nothing to phish, nothing to leak, nothing to remember. Apple, Google and Microsoft all support them now, and major sites are adding them every month.

When a site offers a passkey, take it. You can usually keep the password as a fallback while you adjust.

The strongest password is the one that does not exist because you used a passkey instead.

A 5-minute checklist

  1. Set up a password manager. Pick one and just commit.
  2. Set its master password as a 4-5 word random passphrase. Write it down somewhere physical until you have it memorized.
  3. Turn on 2FA for your email first. Email is the recovery channel for everything else.
  4. Replace passwords on your top 10 accounts with manager-generated ones.
  5. Where passkeys are offered, switch to them.

Do all five and you are ahead of probably 95% of internet users on security.

When you need a generated password, the ChrysoKit tool is one click away: open the password generator →

What changed in password guidance, and what merely got louder

Reading security guidance across the past decade shows real reversals worth knowing, because much published advice still reflects the old consensus. Forced periodic rotation... the every-90-days corporate ritual... is now explicitly discouraged by NIST and equivalents: it measurably produces incremented patterns (Spring2025! becomes Summer2025!) rather than security, so change-on-breach replaced change-on-schedule. Composition rules requiring one of each character class have been similarly demoted in favour of length and a check against known-breached passwords... a 25-character lowercase passphrase beats an 8-character symbol salad, and modern standards finally say so.

What got louder rather than newer: uniqueness per site, because credential stuffing industrialised; password managers as baseline rather than enthusiast practice; and two-factor authentication, with the refinement that the method hierarchy matters... app-based codes and hardware keys resist phishing that SMS codes do not.

The genuinely new layer is passkeys: cryptographic credentials synced via your platform, phishing-resistant by construction, now offered by most major services. Adoption advice in 2026 is pragmatic... enable them where offered, keep the password plus 2FA underneath as fallback, and expect a long coexistence. The thread connecting every era of this advice remains constant: attackers model human habits, so security comes from removing human-generated predictability... whatever the year's mechanism for doing it.

Share this article
Cs
Chryso

Founder of ChrysoKit. Writes about developer tools, productivity, and the small details that make software better.