"Your password must contain at least 8 characters, one uppercase letter, one number, and one special character." You have seen this rule a hundred times. It is the most common password policy on the internet — and according to modern security standards, it is wrong.
This guide explains what actually makes a password strong, what the latest NIST guidelines recommend, why passphrases often beat random strings, and how to generate and verify passwords without handing them to a third-party service.
What makes a password strong?
Password strength is measured by entropy — the number of possible combinations an attacker would have to try to guess your password by brute force. Entropy is measured in bits, and each additional bit doubles the number of possibilities.
The formula for entropy depends on the size of the character set and the length of the password:
In practice:
| Character set | Pool size | Entropy at 8 chars | Entropy at 12 chars | Entropy at 16 chars |
|---|---|---|---|---|
| Digits only (0-9) | 10 | ~27 bits | ~40 bits | ~53 bits |
| Lowercase only (a-z) | 26 | ~38 bits | ~56 bits | ~75 bits |
| Mixed case (a-z, A-Z) | 52 | ~46 bits | ~68 bits | ~91 bits |
| Alphanumeric (a-z, A-Z, 0-9) | 62 | ~48 bits | ~71 bits | ~95 bits |
| Full printable ASCII | 95 | ~53 bits | ~79 bits | ~105 bits |
Important: this table assumes truly randomcharacter selection. Human-chosen passwords — even when they meet complexity rules — have far lower effective entropy because humans are bad at randomness. "Password1!" meets every complexity rule ever written and is cracked instantly by any dictionary attack.
NIST 2024 guidelines: what changed
The National Institute of Standards and Technology (NIST) publishes the most widely-referenced password guidelines in the world (NIST SP 800-63B). The latest revision contains several important shifts from the traditional "complexity rules" approach:
- No more mandatory character composition rules.NIST no longer requires mixed case, digits, and special characters. The evidence shows these rules lead to predictable substitutions ("Password1!") that attackers model explicitly.
- No more mandatory periodic password changes. Forcing users to change passwords every 90 days leads to weaker passwords (users append numbers or choose simpler passwords they can remember) and does not meaningfully improve security. Change passwords only when there is evidence of compromise.
- Minimum 8 characters for user-chosen passwords; minimum 15 for machine-generated. The longer the better, and length matters more than character variety once you pass a reasonable minimum.
- Screen new passwords against known-breach lists. A password that has appeared in any known data breach should be rejected, regardless of complexity. Services like Have I Been Pwned provide APIs for this check.
- Allow (and encourage) password managers.The "paste" function on password fields should not be disabled. Password managers generate and store strong, unique passwords — disabling paste undermines the strongest security tool users have.
The practical takeaway: length beats complexity, uniqueness beats everything, and use a password manager.
Passphrases vs random passwords
A passphraseis a sequence of randomly chosen words — for example, "correct-horse-battery-staple." A random password is a string of randomly chosen characters — for example, "xK9#mP2$vL7@qR4." Both can be strong. The right choice depends on context:
| Factor | Passphrase | Random password |
|---|---|---|
| Memorability | High — words are memorable | Low — essentially unmemorable |
| Entropy per character | Lower (words are characters) | Higher (95 chars per position) |
| Typing effort | Lower (natural words) | Higher (hunt-and-peck symbols) |
| Attack resistance | Resistant if word-pool is large enough | Resistant if truly random and long |
| Best use case | Master passwords, disk encryption, anything you must remember | Every website (stored in a password manager) |
A 4-word passphrase drawn randomly from a pool of 7,776 words (the Diceware wordlist) has roughly 51 bits of entropy — equivalent to a random 8-character password. A 6-word passphrase jumps to ~77 bits. For anything stored in a password manager, a 16+ character random string is strictly better — more entropy per keystroke, and you never need to type it.
Password managers: the single biggest security upgrade
The average person has over 100 online accounts. Remembering 100 unique, strong passwords is impossible — which is why most people reuse passwords. A password manager solves this:
- Generates truly random passwords at whatever length and character set you choose, with one click.
- Stores them encrypted behind a single master password (which should be a strong passphrase you memorize).
- Autofills them so you never type a password into a phishing site that looks like your bank.
- Syncs across devices so your passwords are available on your phone, laptop, and desktop.
The leading password managers in 2026 — Bitwarden (open-source), 1Password, and Apple Passwords / iCloud Keychain — all use zero-knowledge encryption, meaning the provider cannot read your vault even if they wanted to. If you do only one thing to improve your security this year, install a password manager.
Why online password generators are risky
"Online password generator" is one of the most dangerous search queries a person can type. A server-side password generator sees every password it generates — and can associate it with your IP address, browser fingerprint, and session data. Even if the generator itself is well-intentioned, the password now exists in plaintext on a server you do not control, inside a logging or analytics pipeline you cannot audit.
The risk extends beyond the generator itself. Many online password checkers ask you to type your password into a form to "check how strong it is." This is the equivalent of handing your password to a stranger and asking them if it looks secure. Even if the tool claims to run client-side, you have no way to verify that a keylogger script is not capturing the input field.
Our broader online file tools privacy comparison covers the same architectural risk pattern across all categories of web-based tools — from PDF mergers to password generators, the principle is identical.
How to verify a password generator is safe
If you use a browser-based password generator, you can verify it is client-side using the same DevTools method described across our privacy guides:
- Open DevTools (F12) → Network tab. Check Preserve log and filter to Fetch/XHR.
- Clear the existing log.
- Generate a password. Watch the network panel for any request whose payload contains the generated password string.
- If you see no such request, the generator is genuinely client-side. The password was created by JavaScript in your browser and never transmitted.
LoveMyFile's Password Generator uses the browser's built-in crypto.getRandomValues() API — the same cryptographically secure random number generator that drives TLS encryption — and never sends generated passwords anywhere. You can verify this yourself.
SHA-256 and password hashing: a brief primer
When a website stores your password, it should never store the password itself. Instead, it stores a hash — a one-way mathematical function that turns your password into a fixed-length string of characters. SHA-256 is one such hash function.
The critical property of a hash function: given the hash, it is computationally infeasible to recover the original password. When you log in, the website hashes what you typed and compares it to the stored hash. If they match, you typed the right password — but the website never needs to store the password itself.
Good services go further: they use salted hashes (adding random data to each password before hashing, so identical passwords produce different hashes) and key derivation functionslike bcrypt, scrypt, or Argon2 that are deliberately slow, making brute-force attacks expensive. If a service can email you your password in plaintext when you click "forgot password," they are not hashing — and you should not trust them with any password you use elsewhere.
You can experiment with hashing yourself using the File Hash Calculator — it computes SHA-256, SHA-512, and MD5 hashes entirely in your browser.
Practical password checklist for 2026
- Use a password manager. This is step zero. Everything else follows from it.
- Generate unique passwords for every account. A password manager makes this trivial — let it generate a 16+ character random string for every site.
- Use a strong passphrase for your master password. 6+ random words, or a random string long enough that you can memorize it with practice. This is the one password you must remember — make it count.
- Enable multi-factor authentication (MFA) everywhere. A stolen password is useless if the attacker also needs your phone or security key. Use an authenticator app (not SMS) when possible.
- Never reuse passwords. Credential stuffing — where attackers take passwords leaked from one breach and try them on other sites — is the most common attack vector. Unique passwords neutralize it completely.
- Never type a password into a website to "test its strength."Use an offline entropy calculator or a client-side tool you have verified.
- Check Have I Been Pwned periodically.Troy Hunt's free service tells you if your email or passwords have appeared in known data breaches. If they have, change those passwords immediately.
Related security tools and reading
Password security is part of a broader personal security posture. For related tools on LoveMyFile, the File Hash Calculator lets you verify file integrity using SHA-256 and other algorithms. The QR Code Generator applies the same privacy-first approach to barcode generation.
For the broader context of online tool safety, read our QR code safety guide and the guide to uploading PDFs safely. Both explore the same principle from different angles: when your data stays on your device, you eliminate entire categories of risk.
Bottom line
A strong password is long, unique, and randomly generated — not one that meets arbitrary complexity rules. Use a password manager to generate and store unique passwords for every account. Use a passphrase for the one password you must memorize. Never type a password into a website to check its strength, and always verify that any generator you use runs client-side. Password security is not complicated — it is just a set of habits that, once established, protect you automatically.
Generate strong passwords safely
Use the Password Generator to create strong, random passwords. All generation runs in your browser using the Web Crypto API — your passwords are never transmitted, never logged, and never stored.