MayoCalc / Blog / Tech

How to Create a Strong Password in 2026

Updated March 2026 · 7 min read · By Travis Cook

"123456" is still the most common password in data breaches. Every year. "password" is still in the top 5. A weak password gets cracked in seconds. A strong one takes centuries. And the difference isn't adding an exclamation point at the end. It's length.

Test Your Password Strength

See how long it would take to crack your password.

Use the Password Strength Calculator

Length Beats Complexity

Length is everything. An 8-character password with uppercase, lowercase, numbers, and symbols? About 6 quadrillion combinations. Sounds like a lot until a GPU chews through it in hours. A 16-character password using only lowercase letters? 43 sextillion combinations. That's 7 million times more possibilities, despite being "simpler." Every character you add multiplies the difficulty exponentially. Aim for at least 16 characters. 20+ is even better.

The Passphrase Method

Take 4-6 random, unrelated words and string them together. "correct horse battery staple" (the famous XKCD comic) is easy to remember and would take centuries to crack. The key word is random. Don't pick words that relate to each other or form a phrase. Throw in a number or symbol if the site demands it. "purple-telescope-marble-ocean-14" works. "foggy.cactus.umbrella.rocket" works. "ilovemydog2026" does not, because it's predictable. Neither does "letmein123."

What Makes a Password Weak

Under 12 characters? Crackable by brute force with a decent GPU. Dictionary word with "clever" swaps like "p@ssw0rd"? Cracked instantly. Personal info like your name, birthday, or pet's name? Attackers scrape that from social media in minutes. Keyboard patterns like "qwerty"? Literally in every cracking toolkit. Reused passwords? One breach and every account using that password is compromised.

Use a Password Manager

You're not going to remember 80 unique 20-character passwords. Nobody is. That's what password managers are for. They generate random passwords, store them encrypted, and auto-fill when you log in. You remember one master passphrase and the manager handles everything else. Bitwarden is free and open source. 1Password is excellent. Apple's iCloud Keychain works if you're all-in on Apple. Pick one and use it. It eliminates reuse, which eliminates the single biggest risk most people have.

Two-Factor Authentication

Even a perfect password can get stolen if you type it into a phishing site or it leaks in a breach. That's why 2FA exists. It adds a second check: something on your phone in addition to the password. Turn it on for everything that offers it, starting with email, banking, and social media. Use an authenticator app (Google Authenticator, Authy) instead of SMS codes. SMS can be intercepted through SIM swapping, which is more common than people realize.

How Passwords Get Cracked

Brute force: A GPU tries billions of combinations per second until yours falls. This is why length matters so much. Dictionary attacks: Every common word, name, and leaked password from previous breaches. And known passwords from previous breaches. Credential stuffing: They take leaked email/password pairs from one breach and try them everywhere else. Works disturbingly often because people reuse passwords. Phishing: A fake login page that looks exactly real. No password strength helps here. This is why 2FA matters.

Check Your WiFi Security Too

Generate a printable WiFi password sign for guests.

Use the WiFi Sign Generator

About the Author

Travis Cook writes about technology and digital tools for MayoCalc, breaking down technical concepts into plain language with hands-on experience in networking, security, and web development.

Password FAQ

How often should I change my password?
The old advice to change passwords every 90 days is outdated. NIST (the National Institute of Standards and Technology) now recommends changing passwords only when there's evidence of a breach. Frequent forced changes lead to weaker passwords because people use predictable patterns. Focus on making strong, unique passwords and using 2FA instead.
Are password managers safe?
Yes, for the vast majority of people. Your passwords are encrypted locally before being stored, so even the password manager company can't read them. The risk of a password manager breach is far lower than the risk of reusing weak passwords across dozens of sites. Use a strong master passphrase and enable 2FA on your password manager account.
What about passkeys?
Passkeys are a newer technology that replaces passwords entirely with cryptographic key pairs stored on your device. They are phishing-resistant and easier to use. Major services like Google, Apple, and Microsoft support passkeys. If a service offers passkey support, it's generally more secure than even a strong password with 2FA.
Is writing passwords down on paper safe?
Surprisingly, it's better than reusing the same weak password everywhere. A piece of paper in your wallet or desk isn't accessible to remote attackers. But a password manager is strictly better because it also generates strong random passwords and works across all your devices.

Sources

National Institute of Standards and Technology (NIST): NIST SP 800-63B: Digital Identity Guidelines (password best practices)
Cybersecurity & Infrastructure Security Agency (CISA): CISA strong password guidance

Related Tools

Test your password with the Password Strength Calculator. Generate a WiFi sign with a secure password using the WiFi Sign Generator. Convert between number systems with the Number Base Converter.

Disclaimer: This article is for educational purposes only. Password security recommendations based on NIST SP 800-63B guidelines. Never enter real passwords into untrusted websites or tools. Our Password Strength Calculator runs entirely in your browser and never transmits your password.