Passwords aren't going away in 2026 — even with passkeys on the rise. Most sites you use, every service you self-host, every seed phrase you protect, and every SSH key on your dev machine still leans on some flavor of "something you know."
Here's the shortest, most honest guide to password hygiene we could write.
Why it still matters
Credential-stuffing attacks remain the #1 way small teams get compromised. The attacker doesn't need to be clever; they need one reused password from a breach dump. Do the basics well and you drop out of the target pool almost entirely.
The four rules that matter
- Length beats complexity. A 20-character random string beats
P@ssw0rd!every time. - Uniqueness beats memorability. If you can remember it, an attacker's dictionary can guess it.
- A manager is not optional. 1Password, Bitwarden, Apple Passwords — pick any reputable one.
- Turn on 2FA anywhere it's offered. TOTP > SMS.
Generate strong passwords programmatically
If you need to generate passwords in code, use your platform's cryptographic RNG — never Math.random().
import { randomBytes } from 'node:crypto'
const ALPHABET =
'abcdefghijklmnopqrstuvwxyz' +
'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
'0123456789' +
'!@#$%^&*()-_=+[]{};:,.<>/?'
export function generatePassword(length = 20) {
const bytes = randomBytes(length)
let out = ''
for (let i = 0; i < length; i++) {
out += ALPHABET[bytes[i] % ALPHABET.length]
}
return out
}
console.log(generatePassword())Or just use our free Password Generator — it runs entirely in your browser, no server ever sees the output.
What about passkeys?
Passkeys (WebAuthn) are the future. They're phishing-resistant and don't require you to remember anything. Enable them wherever offered — Apple, Google, GitHub, most password managers. But keep your master password strong, because that's still what unlocks the vault.
FAQ
Frequently asked questions
Are 12 characters enough in 2026?
For most consumer accounts, yes — if generated randomly. For accounts holding real value (email, banking, your password manager) go 16+ or use a diceware passphrase.
Should I ever write a password down?
On paper stored somewhere physically secure? Fine for offline emergency recovery codes. In a plain text file synced to the cloud? Never.
What's better, TOTP or SMS 2FA?
Always TOTP (Authenticator apps, 1Password, Bitwarden). SMS is trivially bypassed via SIM-swap attacks.
Does length really beat complexity?
Yes. Entropy is a function of the character-set size and the length. Doubling length adds far more entropy than adding one weird symbol. Aim for 20+ random characters.