Security Basics
What Makes a Password Secure in 2025?
March 15, 2025 - 6 min read
Password advice has changed a lot over the last twenty years. We have gone from mandatory symbols and strange capitalization rules to unnecessary expiration policies and arbitrary limits. Most of that came from good intentions-but poor assumptions about how attackers actually guess passwords.
Today, the landscape looks completely different. Attackers use massive breach databases, cheap GPU hardware, and deep-learning-based password models that mimic human behavior with surprising accuracy. Defenders, meanwhile, have shifted to longer secrets, passphrases, and usability-first practices.
With the release of NIST SP 800-63B-4 in July 2025, we now have a clear, modern standard: strong passwords are built on length and entropy-not complexity rules.
This guide explains what NIST now requires, what current research shows, and what password lengths actually make sense in 2025.
NIST's New Direction: Longer Secrets by Default
SP 800-63B-4 replaces older Digital Identity Guidelines and introduces one of the most important updates in years: a new minimum length requirement when a password is the only authentication factor.
When a password is used as the sole authenticator, systems must now support (and enforce) a minimum length of 15 characters. This does not mean users must choose 15 characters-but the system must allow and require it when no second factor exists.
With multi-factor authentication, the old eight-character minimum remains acceptable. But the intent is obvious: passwords that protect accounts on their own must be long enough to resist offline cracking.
NIST also continues to recommend allowing very long passwords-64+ characters-encouraging passphrases, and discouraging composition rules. Length and usability now take priority over special symbols and arbitrary complexity.
Reference: NIST SP 800-63B-4 (July 2025)
Passphrases: Usability Without Sacrificing Security
Long random strings are extremely strong, but also hard to memorize. Passphrases solve this by using several random words instead of random characters. Something like: harbor velvet transit mimic paper orchard
A six-word passphrase drawn from a 7,000-word list offers 70-85 bits of entropy, outperforming most human-made 20-character passwords. They are easy to type, easy to remember, and fit perfectly with NIST's "memorized secrets" approach.
For anything you need to remember manually, a random-word passphrase is almost always the best option.
Recommended Password Lengths (2025)
These recommended lengths combine NIST SP 800-63B-4 requirements, current research, and real-world cracking benchmarks.
| Purpose | Recommended Length | Notes |
|---|---|---|
| General accounts stored in a password manager | 16-20 characters (random) | Strong against modern offline attacks; easy to generate. |
| Email, banking, cloud accounts | 20-24 characters (random) | High-value targets; choose longer secrets. |
| Password manager master password | 24-30 characters (random) or 6-7 random words | Protects your entire identity. |
| Memorized password without a manager | 4-6 random words | Best balance of usability and entropy. |
| Wi-Fi / router passwords | 16-24 characters | Long-term credentials; avoid short Wi-Fi keys. |
| SSH key passphrase | 20+ characters or 5-6 random words | Protects private keys from targeted attacks. |
| API keys and machine secrets | 32-64 characters | These are not typed; use maximum entropy. |
| Local device PINs | 6-8 digits | PINs are rate-limited; length is less critical. |
Closing Thoughts
After years of confusing rules, password guidance is finally converging. Short passwords, even complex ones, are no match for modern offline attacks. Length and entropy are what matter.
The simplest rule of 2025 is also the most accurate:
Make it longer. You will make it safer.
If you use a password manager, let it generate long random passwords. If you must remember a password yourself, choose a handful of random words. And if you build authentication systems, allow long passwords, remove complexity rules, and follow the new NIST standards.
Ready to Generate Secure Passwords?
Use our secure password generator to create strong, random passwords that meet today's security standards.
Generate Secure Password