For decades, the internet told you that a secure password looked like this: P@$$w0rd!. Mix uppercase, lowercase, numbers, and symbols. Change it every 90 days. Use a different one for every site.
The result? People wrote passwords on sticky notes, reused variations across every account, and created strings that were simultaneously hard for humans to remember and easier for computers to crack than expected.
In 2024, NIST (the US National Institute of Standards and Technology) published updated guidelines that changed the conversation. The core message: length matters far more than complexity.
Understanding Password Entropy
Entropy is the measure of unpredictability in a password — how many guesses an attacker would need to crack it through brute force. It is measured in bits.
The calculation is: Entropy = log₂(Pool Size^Length)
A password drawn from 26 lowercase letters and is 8 characters long has about 37.6 bits of entropy. Add uppercase and numbers (62 characters) and you get 47.6 bits — an improvement, but a modest one.
Now consider a passphrase: four common English words chosen randomly. Even with a pool of only 7,776 words (the standard Diceware list), four words gives you 51.7 bits of entropy. Five words gives 64.6 bits — more than any typical “complex” password.
The key word is randomly. “correct horse battery staple” (the famous xkcd example) is strong precisely because the words were chosen by chance, not because you picked them from your life. “summer2026!” is not a passphrase — it is a predictable pattern.
What the NIST 2024 Guidelines Actually Say
The updated NIST SP 800-63B guidelines make several important points that run counter to conventional wisdom:
- Minimum 8 characters, recommended 15+. Longer is almost always better.
- Do not force periodic rotation unless there is evidence of compromise. Forced rotation leads to predictable patterns like incrementing a number at the end.
- Do not require complexity rules. Mandatory special characters lead to substitutions like
@foraand3fore— patterns attackers know well. - Check against known breached password lists. A password that appears in data breaches is weak regardless of how complex it looks.
- Allow all printable ASCII characters and spaces. Blocking spaces prevents passphrases.
The One Rule That Still Applies Everywhere
Use a unique password for every account. This is not optional. When a service is breached — and breaches happen constantly — attackers take those credentials and test them against every major platform. This is called credential stuffing, and it is how most real-world account takeovers happen. Password reuse is the single greatest practical vulnerability for most people.
A password manager removes the burden of remembering unique credentials. Use one.
Generating Passwords You Can Trust
Whether you are creating a passphrase for a master password or a random string for a service that doesn’t support passphrases, a good generator handles the entropy correctly — using cryptographically secure random number generation, not Math.random().
Generate strong, random passwords or passphrases with configurable length, character sets, and entropy display. Runs entirely in your browser.
Practical Takeaways
- Use a passphrase of 4–6 random words for anything you have to type regularly (like a master password)
- Use a long random string from a generator for everything stored in a password manager
- Enable two-factor authentication everywhere it is available — 2FA mitigates credential theft even if a password is compromised
- Stop rotating passwords on a schedule; start rotating them only when a breach is confirmed
Security does not have to be painful. A few good habits — long passwords, a manager, and 2FA — protect you better than any policy that forces you to add an exclamation mark every quarter.