How often should I require users to change their password?

NIST guidelines no longer recommend forced periodic password changes — they lead to predictable patterns (Spring2026!, Summer2026!). Force a change only when there's evidence of compromise. Instead, monitor for breached credentials (HaveIBeenPwned API) and force resets only on detected leaks or suspicious activity.

What's the right way to store passwords?

Hash with bcrypt (cost factor 12+), scrypt, or Argon2id. Never MD5, SHA-1, or unsalted SHA-256 — they're too fast to crack. Add a unique salt per password (bcrypt does this automatically). Store the salt alongside the hash. Never log passwords, never email them, never display them in plain text after entry.

Is 2FA really necessary if I have a strong password?

Yes. Passwords leak constantly via breaches, phishing, and keyloggers. 2FA is the single biggest account-protection upgrade available — it blocks 99.9% of automated attacks per Microsoft research. Prefer authenticator apps (Authy, Google Authenticator) or hardware keys (YubiKey) over SMS, which is vulnerable to SIM-swap attacks.

Published May 15, 2025 · 6 min read · 🏷️ Security

Password Security 101: What Makes a Password Truly Strong?

Most password advice is outdated. The latest NIST guidelines flip conventional wisdom on its head. Here's what actually matters in 2025.

The Problem with "Complex" Passwords

For years, security experts told us to use "complex" passwords: uppercase, lowercase, numbers, symbols. But research shows this creates a false sense of security. People take shortcuts: P@ssw0rd! looks complex to a computer but is one of the first things cracked.

Meanwhile, the recommended minimum length has crept up — from 8 to 12 to 16 characters. Why? Because longer passwords are genuinely harder to break, even if they're "simpler."

Understanding Entropy

Entropy measures password strength in bits. Each bit of entropy doubles the number of guesses needed to crack your password.

8 characters, lowercase only: ~37 bits — crackable in minutes
12 characters, mixed types: ~80 bits — extremely strong
16 characters, all types: ~128 bits — practically uncrackable
24 characters, all types: ~200 bits — beyond brute-force reach

A password with 80 bits of entropy would take a supercomputer billions of years to crack. That's your target.

NIST Guidelines (2025)

The National Institute of Standards and Technology now recommends:

Minimum 8 characters, allow up to 64+
Ditch complexity rules — let users choose what they want
Allow passphrases — "correct horse battery staple" is strong and memorable
No expiration without reason — forced resets lead to weaker passwords
Check against breached password lists — reject known compromised passwords
No hint questions — they're just alternate passwords

What Makes a Password Strong

The three factors that actually matter:

1. Length (most important)
A 16-character random password beats any 8-character "complex" one. Every additional character multiplies the difficulty exponentially.

2. Unpredictability
Dictionary words in sequences are weak. "coffee table lamp" is better than "c0ff33!", even though it looks simpler.

3. Uniqueness
Never reuse passwords. If one service gets breached, everything else stays safe.

Password Managers: The Practical Choice

Remembering unique 16+ character passwords for every account is impossible. Use a password manager (1Password, Bitwarden, KeePass). Generate random passwords with our tool, store them in a manager, and remember only one master password.

What About MD5 and SHA-1?

MD5 and SHA-1 are fast checksums — not password storage mechanisms. Never use them for passwords. Use bcrypt, Argon2, or scrypt instead.

Generate Strong Passwords

Use our Password Generator to create cryptographically secure random passwords. Set the length to 20+ characters for critical accounts. Enable all character types for maximum entropy.