
For decades, the answer to "how do I make a strong password?" was: add a capital letter, throw a symbol at the end, append a number. The problem is that humans under rules are predictable. The capital goes at the front. The symbol and number go at the back. Cracking tools know this, because they were trained on billions of real passwords from people who followed exactly the same instinct.
Both human memory and cracking algorithms run on patterns. That's the conflict, and it doesn't go away by adding @ to the end of your dog's name. This guide explains the mechanics, the one exception, and what a sustainable credential system actually looks like.
Key takeaways
- The easier a password is to remember, the easier it is to crack. Memorability and security pull in opposite directions. That tension is structural: it comes from how human memory works.
- Symbol substitutions and complexity rules do not meaningfully increase security. Modern password-cracking algorithms are trained specifically on these predictable human patterns, allowing attackers to bypass them with optimized brute-force attacks.
- The latest NIST SP 800-63B guidelines officially drop mandatory complexity rules and 90-day rotations, establishing a new recommended minimum of 15 characters.
- The only password type that is both memorable and cryptographically strong is a Diceware passphrase: random words chosen by dice, not by you.
- You need to memorize exactly one password: the master passphrase that unlocks your password manager. Every other credential should be randomly generated and stored in the vault.
What is a strong password
A strong password is a credential that resists both automated guessing and targeted attacks. NIST SP 800-63B sets the minimum at 8 characters, recommends systems accept up to 64 characters, and drops mandatory complexity rules entirely in favor of length and uniqueness. The practical working baseline for most security teams is 12-16 randomly generated characters, with entropy above 75 bits.
Four parameters define whether a password meets that baseline:
- Length. The single most effective variable. Each additional character multiplies the search space exponentially. At 12 characters, a fully random alphanumeric string requires billions of years to brute-force at current hardware speeds. At 8, that window collapses to hours.
- Randomness. Human-chosen passwords cluster around predictable patterns: names, dates, dictionary words with substitutions. A password generator removes that clustering entirely. If you chose it, it is probably weaker than it looks.
- Uniqueness. One credential per account. A single compromised password grants access to every system where it appears. Reuse transforms an isolated breach into a lateral movement opportunity.
- No expiration without cause. NIST SP 800-63B explicitly deprecates mandatory periodic rotation. Forced rotation produces predictable increments (
Password1 → Password2) and trains users to choose weaker base passwords. Change a credential when there is evidence of compromise.
The memorability paradox: Why your brain is a liability
Any property that makes a password easier to remember also makes it easier to guess. Human memory encodes information through patterns, associations, and meaning. A password that sticks in your mind does so because it connects to something you already know: a word, a date, a name, a keyboard shape. Those same connections are exactly what cracking tools exploit.
PassGAN (Generative Adversarial Network for password cracking) and similar tools are trained on billions of leaked credentials. They do not try aaaaaaa before p@ssword. They try the things humans actually choose, in the order humans actually choose them. Substituting @ for a in password gives you p@ssword, which PassGAN generates within the first few thousand guesses in less than a fraction of a second. Capitalising the first letter and adding 1 at the end are patterns the model has seen millions of times.
Length and character set both matter, but they don't matter equally. Hive Systems' 2025 password table, tested against 12 × RTX 5090 GPUs with bcrypt at work factor 10, shows that an 8-character password using only lowercase letters falls in three weeks. Add uppercase, numbers, and symbols, and that figure reaches 164 years against the same hardware. A 12-character password with the same full mixed-character set takes the table into centuries.

The table is updated annually to reflect current consumer GPU hardware. The shift from the 2024 edition to 2025 reflects both faster hardware and more realistic hash strength assumptions drawn from what Hive Systems observed in actual breach data.
Why traditional password advice is dead
The old complexity rules (eight characters, one uppercase, one number, one symbol) failed, because they were wrong about human behaviour under constraints. Where the memorability paradox describes a cognitive failure, mandatory complexity rules produced a policy failure on top of it.
For years, the dominant cracking approach was dictionary attacks: automated tools cycling through known words and common substitutions. Security teams responded by mandating complexity. The problem is that humans under complexity pressure are predictable. When told to add a symbol, most people add it at the end. When told to substitute a letter, most choose the same substitutions. The rules designed to increase unpredictability produced a new layer of predictable behaviour.
The other failure of old advice was the 90-day rotation policy. Forced resets produce Summer2025! followed by Fall2025!. Verizon's 2026 DBIR, which analyzed over 22,000 confirmed breaches across 145 countries, found that vulnerability exploitation has now overtaken credential theft as the primary breach entry point (31%). Credential abuse sits at 13% as an initial access vector, but that figure looks at only the first action. The DBIR found that credential abuse appears in 39% of all breaches when measured across the full attack chain making it the single most pervasive technique in the dataset.
Length is the primary defense. A 15-character passphrase built from random words is orders of magnitude stronger than an 8-character string of symbols, and a human can actually remember it.
The new standard: NIST SP 800-63B Rev. 4 guidelines
NIST SP 800-63B Rev. 4 (2025) sets the current baseline for password security. When a password is the only authentication factor, systems must require a minimum of 8 characters and should require at least 15 characters. Mandatory complexity rules (forced symbols, numbers, mixed case) are explicitly dropped, as is the 90-day expiration cycle. Checking new passwords against known-breached credential lists is now required, not optional.
The full shift in policy looks like this:
| Rule | Old guidance (Rev. 3) | New guidance (Rev. 4) |
|---|---|---|
| Minimum length | 8 characters | 8 characters required; 15 recommended |
| Complexity requirements | Mandatory (symbols, numbers, uppercase) | Dropped, no longer required |
| Password expiration | Every 90 days | Only when compromise is suspected |
| Password hints | Allowed | Prohibited |
| Knowledge-based authentication | Allowed | Prohibited |
| Checking against breached lists | Optional | Required |
The logic behind dropping complexity is well-documented. NIST's own research found that complexity requirements push users toward predictable patterns and increase support costs without meaningfully improving resistance to automated attacks. Length has a direct mathematical relationship with cracking difficulty: each additional character multiplies the search space exponentially.
For IT administrators, the practical implication is clear: update your password policies to require 15+ characters, remove arbitrary complexity mandates, and implement checks against known-breached password lists such as the Have I Been Pwned dataset, which NIST explicitly references. Stop forcing rotations on a calendar schedule.
Passwords vs. passphrases
A passphrase is a sequence of random, unrelated words used as a single credential. Words are easier to retain than random characters, and length alone pushes entropy well above what most character-based passwords achieve. Four words already outperform a typical 10-character mixed-case string .
Password entropy measures how unpredictable a credential is, expressed in bits. Higher entropy means more possible combinations an attacker must try.
Tr0ub4dor&3 looks complex. But it is a dictionary word with predictable substitutions, a capital at the start, and a symbol and number appended at the end, a pattern that cracking tools model explicitly. Its effective entropy is far lower than it appears.
correct horse battery staple illustrates the math directly. Four words chosen randomly from that list gives approximately 44 bits of entropy (log₂ of 2,000⁴). Six random words from the Diceware list (7,776 words) produces around 77 bits, enough to resist brute-force attacks for decades at current computing speeds.
The critical word is random. "I love my dog Biscuit" is a passphrase, but it is not random. It reflects personal information and a natural sentence structure that cracking tools can model. A passphrase you invented is not random, because you invented it. True randomness requires a method that removes human choice from the equation entirely.

How to create a strong password you won't forget
The techniques below solve one specific problem: how to create and remember a single master passphrase. That passphrase has one job — unlocking your password manager. For every other credential you own, the answer is a randomly generated password stored inside that manager, not a passphrase you constructed and memorized.
The Diceware method
The Diceware method generates cryptographically random passphrases using physical dice and a standardized word list. Because the randomness comes from dice rolls rather than human choice, the resulting passphrase has provable entropy and sidesteps the memorability paradox entirely.
- Download the EFF Large Wordlist, which contains 7,776 words indexed by five-digit dice codes (e.g.,
16132 = cleft). - Roll five six-sided dice (or one die five times). Record the result, for example,
2-4-1-3-6. - Look up the corresponding word in the EFF list.
24136maps todragster. - Repeat steps 2-3 five more times to generate a six-word passphrase.
- Your result might be:
dragster cleft robin usage stomp anvil. Write it down temporarily.
Six words from the EFF list gives approximately 77.5 bits of entropy. That is the target. Five words (64.6 bits) is acceptable for most use cases; four words is the absolute minimum for a master password.
No dice? Use a generator
If physical dice aren't available, Passwork's free passphrase generator applies the same logic in a browser. It runs entirely locally — nothing is stored or transmitted. You can adjust word count, separators, and capitalization to match your requirements. The output is the same provably random result as Diceware, without the wordlist lookup.
The sentence method
The sentence method is better suited for people who need to create a strong master password quickly without dice. Take a sentence that is personally meaningful but not publicly known, and derive a password from its structure.
- Example sentence: "My first car was a 1998 Honda and I drove it to college."
- Derived password:
MfcWa1998HaIdItC
This produces a 16-character string with mixed case and numbers that has no dictionary relationship. The sentence itself is the mnemonic: you remember the sentence, not the password.
The limitation: this method produces less entropy than Diceware because humans choose memorable sentences, and memorable sentences follow predictable grammatical patterns. Use it only for the master password when Diceware is not practical. For everything else, use a manager.
The memory palace technique
The memory palace (Method of Loci) is a mnemonic technique for retaining the master passphrase you generated with Diceware. It works by associating each word with a specific physical location in a familiar space: your home, your commute route, a building you know well.
To memorize dragster cleft robin usage stomp anvil:
- Choose a familiar route through a space you know well: your front door, hallway, kitchen, living room, stairs, bedroom.
- Assign one word to each location. Make the image vivid and unusual: a dragster roaring through your front door, a cleft rock splitting your hallway floor, a robin sitting on your kitchen counter.
- Walk the route mentally, in order, several times. The stranger the image, the more reliably it sticks.
- After 24 hours, test recall without looking at the written passphrase. Most people can recall all six words after three or four mental walkthroughs.
The memory palace works because the brain encodes spatial and visual information more reliably than abstract strings. You are not memorizing dragster cleft robin usage stomp anvil. You are memorizing a walk through your house.
Once the passphrase is memorized, destroy the written copy.
Knowing how to construct and retain a master passphrase is a useful skill. But memorability is a constraint, and constraints produce compromises. A password manager removes that constraint entirely: it generates credentials with full entropy, stores them encrypted, and retrieves them without asking you to remember anything beyond one passphrase. The techniques above exist to protect that one passphrase. Everything else should be generated, not invented.
The only standard: One passphrase, everything else in a password manager
The memorability paradox has a single structural solution. You memorize one randomly generated master passphrase. A password manager generates and stores everything else, producing fully random, unique credentials for every account that you never need to see, type, or remember. That structure holds whether you have five accounts or five hundred.
In practice, this means:
- Zero password reuse across accounts — every credential is unique and randomly generated.
- One thing to memorize — the master passphrase you created with Diceware.
- No security decisions to make at login — the manager handles generation, storage, and autofill.
Passwork is built for this architecture. It is available as a self-hosted deployment or as a cloud service. Both options use AES-256 client-side encryption: credentials are encrypted before they leave your device, and Passwork never sees plaintext passwords.
The two deployment models differ in one dimension:
- The self-hosted option keeps all data within your own infrastructure.
- The cloud option removes the operational overhead of running your own instance without changing the encryption model.
Role-based access control lets administrators assign vault permissions to teams rather than individuals — relevant if you are managing credentials for a team rather than just yourself. A new engineer inherits access to the right vaults on day one and loses it the moment they leave, with no manual cleanup required.
For teams with compliance requirements, Passwork's audit logs provide a full record of who accessed which credential and when — the kind of documentation that SOC 2 CC6.1 and ISO 27001:2022 Annex A 5.15 controls require. The technical guides cover AD/LDAP integration, SAML SSO, and REST API access for teams that need to embed credential management into existing workflows.
Strong password examples: What good looks like in 2026
| Credential type | Example | Entropy (approx.) | Memorable? | Recommended use |
|---|---|---|---|---|
| 8-char complex | Tr0ub4dor&3 | ~28 bits effective | No | Avoid |
| 12-char random | k9#Lm2@pQr7! | ~78 bits | No | Acceptable for low-risk accounts |
| 4-word Diceware | dragster cleft robin usage | ~51 bits | Yes | Secondary accounts |
| 6-word Diceware | dragster cleft robin usage stomp anvil | ~77 bits | Yes (with memory palace) | Master password only |
| Sentence-derived | MfcWa1998HaIdItC | ~52 bits | Yes (via sentence) | Master password only |
| Machine-generated | k9#Lm2@pQr7!xN3$ | ~105 bits | No — stored in manager | All other accounts |
| Machine-generated secret | eyJhbGciOiJIUzI1... | 256 bits | N/A | API keys, tokens: use a secrets manager |
The "recommended use" column is the point. Diceware and sentence-derived passwords appear once in your life, as the master credential. Every other account gets a machine-generated password that you never see, never type, and never need to remember.
Putting it into practice

The memorability paradox does not have a workaround — it has a solution. Memorize one thing, generated randomly, using a method that removes your brain from the process. Use that to unlock a password manager that handles every other credential with machine-generated randomness you never have to think about.
Generate a 6-word Diceware passphrase. Encode it with a memory palace. Put everything else in a vault.
Frequently asked questions

How long should a strong password be in 2026?
NIST SP 800-63B Rev. 4 (2025) sets the absolute minimum at 8 characters but recommends at least 15 characters when a password is the sole authentication factor. For master passwords protecting a password vault or privileged accounts, a 6-word Diceware passphrase (roughly 25-35 characters) is the current best practice. Length is the primary driver of cracking resistance.
What is password entropy and why does it matter?
Password entropy measures how unpredictable a password is, expressed in bits. It is calculated as log₂ of the number of possible combinations. A 6-word Diceware passphrase drawn from the EFF list has approximately 77.5 bits of entropy. Higher entropy means an attacker must try more combinations to crack the password by brute force. Complexity rules add less entropy than they appear to; length adds entropy directly and predictably.
Is a passphrase more secure than a complex password?
Yes, in most cases. A 6-word random passphrase has higher entropy than a typical 10-character "complex" password, and it is far more resistant to the pattern-matching that AI cracking tools use. The key word is random. A passphrase built from personally meaningful words is weaker than it appears because human choices follow predictable patterns.
What is the Diceware method?
Diceware is a technique for generating random passphrases by rolling physical dice and mapping the results to words on a standardized list. The EFF Large Wordlist contains 7,776 words indexed by five-digit dice codes. Rolling five dice once produces one word; six rolls produce a six-word passphrase with approximately 77.5 bits of entropy. Because the randomness comes from dice rather than human choice, the result is provably unpredictable.
Should I still use a password manager if I have a strong passphrase?
Yes. A strong passphrase solves the master credential problem: the one password you memorize to unlock everything else. It does not solve the problem of managing dozens of separate credentials across different systems. A password manager generates fully random, unique passwords for every account and stores them securely. The passphrase is the key to the vault. The vault does the rest.
How do I remember a long passphrase?
The memory palace technique (Method of Loci) is the most reliable method for most people. Assign each word in your passphrase to a specific location along a familiar route (your home, your commute) and create a vivid mental image for each word. Walk the route mentally several times over 24-48 hours. Most people can reliably recall a six-word passphrase after four or five practice runs.
What changed in NIST's password guidelines?
NIST SP 800-63B Rev. 4 made several significant changes. It dropped mandatory complexity requirements (forced symbols, numbers, mixed case). It eliminated calendar-based password expiration, recommending resets only when compromise is suspected. It prohibited password hints and knowledge-based authentication questions. It now requires checking new passwords against known-breached credential lists. The minimum length remains 8 characters, with 15 characters as the recommended standard for single-factor authentication.
Why can't I just create memorable passwords without a manager?
Because memorability and security are in direct tension. The human brain encodes information through patterns and associations. Any password that feels memorable is, by definition, patterned — and patterns are what cracking algorithms are trained to find. The only exit from this paradox is to memorize one strong master passphrase and delegate everything else to a tool that generates true randomness.



Table of contents
- Key takeaways
- What is a strong password
- The memorability paradox: Why your brain is a liability
- Why traditional password advice is dead
- The new standard: NIST SP 800-63B Rev. 4 guidelines
- Passwords vs. passphrases
- How to create a strong password you won't forget
- The only standard: One passphrase, everything else in a password manager
- Strong password examples: What good looks like in 2026
- Putting it into practice
- Frequently asked questions
Table of contents
- Key takeaways
- What is a strong password
- The memorability paradox: Why your brain is a liability
- Why traditional password advice is dead
- The new standard: NIST SP 800-63B Rev. 4 guidelines
- Passwords vs. passphrases
- How to create a strong password you won't forget
- The only standard: One passphrase, everything else in a password manager
- Strong password examples: What good looks like in 2026
- Putting it into practice
- Frequently asked questions
Self-hosted password manager for business
Passwork provides an advantage of effective teamwork with corporate passwords in a totally safe environment. Double encryption and zero-knowledge architecture ensure your passwords never leave your infrastructure.
Learn more


