Why the old complexity rules were abandoned, how passwords really get broken, and the three-step setup that works.
Most advice about passwords is a decade out of date. The old rules — force a capital letter, a number, a symbol, change it every 90 days — were quietly abandoned by the security organisations that invented them, because they made passwords harder for humans and barely harder for computers. This article explains what actually keeps an account safe in 2026, why length beats complexity, and how to build a password you can live with.
Hardly anyone “guesses” your password by typing at a login box. The real threats are different:
Notice what is missing: nobody is sitting there typing guesses. That single fact reshapes what a good password looks like.
The strength of a password is, roughly, how many possibilities an attacker must try. Each additional character multiplies that number. Adding a symbol to an 8-character password helps a little. Adding four more characters helps enormously — exponentially more — because length grows the search space far faster than swapping a letter for a symbol.
Consider P@ssw0rd!. It satisfies every old complexity rule and is in every cracking dictionary, so it falls in milliseconds. Now consider a string of four random common words — something like copper-violin-harbor-ginger. It is far longer, trivially memorable, and the number of combinations is astronomically larger. Length and unpredictability win; decoration does not.
For the few passwords you genuinely have to type from memory — your device login, your password manager's master password — use a passphrase of four or more random words. The randomness matters: a famous quote or song lyric is in the dictionaries. Pick unrelated words, and the result is both strong and human.
For the dozens of site accounts you do not need to memorise, generate a long random string — 16 characters or more — and let a password manager remember it. You never type it, so it does not need to be pronounceable. This is where a password generator earns its keep: it produces high-entropy strings instantly, with no human bias toward predictable patterns.
Never reuse a password across sites. This is more important than how strong any single password is. If you reuse one and a single site is breached, every account sharing that password is compromised through credential stuffing — automatically, within hours. A unique password per site contains the damage to one account. The only practical way to have a unique strong password for every site is a password manager; trying to remember them all is what pushes people back into reuse.
Even a perfect password can leak — through a breach, a phishing page, or malware. Two-factor authentication (2FA) adds a second step, usually a code from an authenticator app, so a stolen password alone is not enough to get in. Enable it everywhere that offers it, prioritising email and banking. App-based codes are stronger than SMS, which can be intercepted, but SMS 2FA is still far better than none.
spring1, spring2). Change a password when there is a reason — a breach, a shared device — not on a calendar.Do those three things and you are ahead of the overwhelming majority of internet users — not because your passwords are clever, but because they are long, unique, and backed by a second factor. That is what the current evidence says actually keeps accounts safe.