How to create a strong password in 2026

Most of what you were taught about passwords is wrong, or at least out of date. The advice that gave us P@ssw0rd1! looked clever in 2008. Today it gets cracked in seconds.

The good news is that the modern rules are simpler. Length matters more than special characters. Uniqueness matters more than complexity. And random matters more than memorable.

Here is what actually makes a password strong in 2026, and how to build one without losing your mind.

Length is the most important variable

Every character you add to a password multiplies the time it takes to crack. The math is exponential, and it works in your favour.

An eight character password using lowercase, uppercase, digits, and symbols has roughly seventy quadrillion possible combinations. That sounds like a lot until you remember that modern cracking rigs can test billions of guesses per second. Hive Systems publishes a yearly chart showing how long different password lengths hold up under attack. Their 2025 update found that an eight character password with mixed types takes about thirty seven seconds to crack. A twelve character version of the same password takes more than two centuries.

That is why every credible security guide now starts with the same advice: aim for at least 16 characters. More is better. If you are setting a password you will type from memory, push to twenty.

Uniqueness matters more than complexity

The strongest password in the world is useless if you reuse it everywhere. When a small site gets breached, your email and password get sold on data trading forums. Attackers then try that combination on every major service: banks, email, cloud storage, government portals.

This is called credential stuffing, and it is now the most common cause of account takeovers. Verizon's 2024 Data Breach Investigations Report found that stolen credentials are involved in roughly 32% of all confirmed data breaches. Most of those credentials came from password reuse, not from cracking.

The fix is simple in concept and painful in practice: every account needs its own password. The reason this is now realistic is the password manager. Generate, store, autofill. We cover this in detail in our guide to password managers for Canadians.

Skip anything tied to your real life

Your dog's name. Your kid's birthday. The street you grew up on. The Habs. The Leafs. Your wedding anniversary.

None of these are good password material. They are all on your social media accounts, often within the first few posts a stranger can see. Attackers running targeted campaigns scrape this data automatically and feed it into cracking tools.

Google and Harris Poll found that 59% of US adults use a name or birthday in their passwords. The Canadian numbers are likely similar. If you recognize yourself in this, the fix is to switch to generated random passwords for everything you do not need to remember, and a long random passphrase for what you do.

The character soup myth

Old password rules forced users to add an uppercase letter, a number, and a symbol. So users did the predictable thing: capitalized the first letter, added a number at the end, and stuck on an exclamation mark. Password1! became the most cracked pattern in the world.

NIST, the US National Institute of Standards and Technology, formally backed away from these rules in their 2024 update to SP 800-63B. Their current guidance: prioritize length, allow any printable character including spaces, and stop forcing predictable composition rules.

The takeaway: a 20 character all lowercase passphrase like marble salmon kettle drift weather is stronger than P@ssw0rd1!, and easier to type. We unpack this in passphrase vs password.

What a strong password actually looks like

For accounts you will autofill from a manager:

• kRm9$xLp2!nQ7vYw3Bz# — random, 20 characters, mixed types
• 4Hj7nQpRtWxYzL2mKbVc — random, 20 characters, no symbols (better for old systems that block special characters)

For accounts you must type from memory, like your password manager itself:

• marble salmon kettle drift weather — five random words, easy to type, very long
• oak frozen river twenty maple chair — six words, even stronger

Both styles work. The first is more practical when something else does the typing. The second is essential when your brain is the only key.

The Canadian context

About 43% of Canadians say they have been affected by a privacy breach, according to the Office of the Privacy Commissioner's 2024 to 2025 public opinion research. Bell Canada, Indigo, SickKids, and the Ontario Birth Registry all suffered serious incidents in recent years. The CRA breach of 2020, which used credential stuffing against tax accounts with reused passwords and no MFA, is still cited as a textbook case for what reuse does at scale.

For a Canadian, strong password hygiene is not paranoia. It is keeping pace with the reality of where your data already lives.

The minimum viable setup

If you do nothing else this month:

1. Pick a password manager. Set a long random passphrase as your master password. Write it down somewhere physical until it is in your head.
2. Generate fresh, unique 20 character passwords for your email, your bank, and your government accounts. Replace the old ones.
3. Turn on two factor authentication on those same three accounts. We explain how in what is 2FA and why you need it.

That trio covers most of the realistic risk for an individual user. Everything else can come later.