Password security in 2026 — what actually matters and what's mostly theatre

The entropy math, in plain language

Password strength isn't about how clever a string looks — it's about how many guesses an attacker would need on average to find it. That number is called entropy, and it's measured in bits. Each bit of entropy doubles the work required to guess.

An eight-character password using lowercase, uppercase, digits, and symbols draws from an alphabet of about 95 characters. Eight characters from 95 is 95^8 possibilities, which is about 52 bits of entropy if the password is truly random. In practice, humans don't pick randomly — they pick 'Tr0ub4dor&3' (the xkcd example), which a modern dictionary attack with substitution rules cracks in seconds.

Now consider 'correct horse battery staple' — four common words picked at random from a 2,000-word list. The math is 2000^4, which is about 44 bits of entropy. Add a fifth word and you're at 55 bits, comfortably stronger than the cryptic eight-character version, easier to remember, and faster to type. The general rule: against a smart attacker who knows human patterns, length wins.

What NIST 800-63B actually says now

NIST Special Publication 800-63B is the U.S. government's authoritative guidance on digital identity. The current revision (rev 4, finalised in 2024) is striking for how much it dropped from earlier advice.

Minimum length: 8 characters, with 15 or more strongly encouraged. Composition rules — 'must contain an uppercase, a digit, a symbol' — are explicitly removed. The evidence over a decade was that composition rules don't increase real entropy; they just force users into predictable patterns (Capital letter at the start, digit and symbol at the end).

Mandatory periodic rotation: removed. The previous 'change your password every 90 days' advice is now actively discouraged. The reasoning: frequent rotation pushes users toward minor variations of the same memorable base (Password1, Password2, Password3) which is easier to guess than a single strong password that stays put.

Check against breach lists: required. New passwords must be screened against published breach corpora (Have I Been Pwned's Pwned Passwords is the standard reference) and rejected if they appear. Allow paste, allow password managers, allow long passwords.

Use a password manager — that's the entire recommendation

The single highest-leverage thing you can do for your account security is use a password manager. Every account gets a unique, long, random password. You remember one strong master passphrase. The manager does the rest.

The two recommendations that come up in nearly every security-professional survey are 1Password and Bitwarden. Both are mature, both have been third-party audited, both support modern features (passkeys, breach monitoring, secure sharing). Bitwarden is open source and has a generous free tier; 1Password is paid and has slightly more polish on the family-sharing and team features.

The objection 'but then if my manager is breached, everything is compromised' is the right concern with the wrong conclusion. The major password managers store everything client-side encrypted with a key derived from your master passphrase, which never leaves your device. A server breach reveals encrypted blobs the company itself can't read. Compare that to the realistic alternative — the same password reused across 200 sites, one of which gets breached every couple of years — and the manager wins on every metric.

Passkeys are the future, and the future is already here

A passkey is a public-key credential generated by your device, registered with a website, and used to sign authentication challenges. There is no shared secret on the server. There is no string to type, to phish, or to reuse. The private half lives in your device's secure enclave and never leaves it. Authenticating is a biometric touch or a PIN.

Under the hood it's WebAuthn, the W3C standard, talking to a CTAP2 authenticator over USB, NFC, Bluetooth, or the device's internal API.

What makes passkeys a categorical improvement over passwords: they are unphishable (the browser ties each credential to the registered origin), they are unique per site (no reuse risk), they don't appear in breach corpora (no shared secret on the server to leak), and they don't require you to remember anything.

The 2026 advice: add a passkey wherever a service supports it, keep your strong password manager entry as fallback, and within a year or two the password will be the fallback you never use.

The 2FA hierarchy

Best: a hardware security key (YubiKey, SoloKey, Google Titan). FIDO2/WebAuthn over USB or NFC. Phishing-resistant by construction — the key won't sign a challenge for a domain it wasn't registered against. Buy two; register both on every important account; keep one in a safe.

Very good: a software authenticator app (Authy, Aegis, Google Authenticator, 1Password's built-in TOTP). Generates a 6-digit code that changes every 30 seconds. Resistant to most attacks except real-time phishing.

Acceptable but weaker: SMS codes. Better than nothing, but vulnerable to SIM-swap attacks. If a site only offers SMS, enable it, then switch as soon as a stronger option appears.

Avoid: 'security questions' as a second factor (knowledge factor your aunt could answer); push notifications that show no detail (the 'MFA fatigue' attack works by spamming you with prompts). Number-matching push (where you must type a 2-digit code shown on the login screen into the prompt) closes that hole.