If you only change one thing about your passwords this year, make them longer.
Length is the single most important factor in how hard a password is to crack — more important than symbols, more important than mixed case, more important than swapping an "a" for an "@". Yet most people still cap their passwords at 8 characters because that's the minimum a website demands.
This guide gives you a clear, practical answer to the question "how long should a password be?" — backed by the math of how passwords actually get broken.
The Short Answer
Here are sensible minimums for 2026:
| Use case | Minimum length | Recommended |
|---|---|---|
| Throwaway / low-risk accounts | 12 characters | 14+ |
| Everyday accounts (shopping, forums) | 14 characters | 16+ |
| Email, social media, work logins | 16 characters | 20+ |
| Banking, finance, crypto | 16 characters | 24+ |
| Password manager master password | 4–6 random words | 6+ words |
| WiFi (WPA2/WPA3) | 16 characters | 20+ |
If you want a number to remember: 16 characters is a strong, future-proof default for almost everything. Bump it to 20+ for anything that would hurt to lose.
You can generate a password at any of these lengths instantly with our password generator — just drag the length slider to the number you need.
Why Length Beats Complexity
Every character you add to a password multiplies the number of possible combinations an attacker has to try. This is exponential growth, and exponential growth gets out of hand fast.
Say you use lowercase letters, uppercase letters, numbers, and symbols — a character set of roughly 94 possibilities per position. The total number of possible passwords is 94 raised to the power of the length:
- 8 characters → 94⁸ ≈ 6 quadrillion combinations
- 12 characters → 94¹² ≈ 475 sextillion combinations
- 16 characters → 94¹⁶ ≈ 37 octillion combinations
Going from 8 to 16 characters doesn't double the difficulty — it makes it roughly 6 trillion times harder. Adding one symbol to an 8-character password is a rounding error by comparison.
This is why security researchers say "length beats complexity." A long password made of only lowercase letters can be far stronger than a short password crammed with special characters.
How Fast Can a Password Be Cracked?
Cracking speed depends on how the attacker gets at your password. There are two very different scenarios:
Offline cracking (the worst case)
If a website is breached and the attacker steals the hashed password database, they can guess offline at enormous speed — modern GPUs and clusters can attempt billions of guesses per second against weak hashing.
Here's roughly how long a full brute-force search takes against a random password (all 94 character types), assuming 100 billion guesses per second:
| Length | Approx. time to brute-force |
|---|---|
| 8 chars | under a day |
| 10 chars | a few months |
| 12 chars | thousands of years |
| 16 chars | longer than the age of the universe |
| 20 chars | effectively forever |
These numbers assume a truly random password. A predictable one — like Summer2026! — falls in seconds no matter how long it is, because attackers guess patterns before they brute-force.
Online attacks (rate-limited)
If an attacker is guessing against a live login form, rate limits, lockouts, and CAPTCHAs slow them to a crawl — maybe a few guesses per second at best. Here, even a 12-character random password is wildly out of reach. The real danger online is reused passwords from other breaches, not brute force.
What Length Does NIST Recommend?
The U.S. National Institute of Standards and Technology (NIST) sets the most widely referenced password guidance. Their modern recommendations:
- Minimum 8 characters for user-chosen passwords, but they explicitly encourage much longer.
- Support at least 64 characters so users can pick long passphrases.
- Allow all characters, including spaces and Unicode.
- Drop forced complexity rules (no mandatory uppercase + symbol + number).
- Stop forcing periodic resets — change passwords only when there's evidence of compromise.
The takeaway: NIST treats length as the foundation and treats arbitrary complexity rules as counterproductive, because they push people toward predictable patterns like Password1!.
Does Maximum Length Matter Too?
Yes — watch out for websites that cap password length at something short like 16 or 20 characters. A low maximum can be a red flag that a site stores passwords insecurely. It also limits how strong your password can be.
If a site won't accept a long password, do what you can within its limit (use the full length allowed, all character types, and keep it random) and make sure that password is unique to that site so a breach there can't spread.
Length for Passphrases vs. Random Passwords
A passphrase measures its strength in words, not characters. Because each random word adds a large chunk of entropy, four to six truly random words can rival or beat a 16-character random string — and it's far easier to type.
- A random 16-character password:
Kj7#mZq9!vXnL2@p - A 5-word passphrase:
glacier-phantom-butter-notebook-anchor
Both are strong. The passphrase is longer in characters but easier to remember, which makes it ideal for the one password you actually have to type from memory — your password manager's master password. Create one with our passphrase generator.
The catch: the words must be random. A memorable sentence, song lyric, or quote is short on real entropy because attackers can guess natural language.
Practical Rules of Thumb
- Default to 16 characters for new passwords. It's strong today and for the foreseeable future.
- Go 20+ for high-value accounts — email, banking, and anything that can reset your other passwords.
- Use a passphrase of 4–6 random words for passwords you must memorize.
- Never reuse a password, no matter how long. Length doesn't help if the same password leaks from another site.
- Let a generator and password manager do the work. You don't need to type or remember 16 random characters — store them in a vault.
Generate the Right Length in One Click
You don't have to count characters by hand. Open our password generator, drag the length slider to 16, 20, or higher, and copy the result straight into your password manager. For a memorable master password, switch to the passphrase generator and pick the number of words. Want to sanity-check a password you already use? The password strength checker estimates how long it would take to crack.
FAQ
Is a 12-character password strong enough?
For everyday accounts, a random 12-character password is reasonable. For email, banking, or any account that can reset others, step up to 16 or more. Twelve characters is a floor, not a target — and only if it's random, not a predictable word-plus-numbers pattern.
Is a longer password always more secure?
Length helps enormously, but only when the password is also random and unique. A long predictable password like Welcome123456789 is weak because attackers guess patterns first. Aim for long and random and not reused anywhere else.
What is the ideal password length in 2026?
Sixteen characters is an excellent default that balances strength and practicality. Use 20 or more for sensitive accounts. For passwords you must memorize, a 4–6 word random passphrase is ideal.
Does adding symbols matter if my password is already long?
Symbols add some entropy per character, but their effect is small compared to length. A 20-character password without symbols easily beats a 10-character password full of them. Include symbols when a site requires them, but don't rely on them as your main defense — rely on length and randomness.
How long should a WiFi password be?
Use at least 16 characters for a home network; 20 is a strong practical default for WPA2 and WPA3. Because you only type it occasionally, you can afford to make it long. Our WiFi password generator defaults to a 20-character key and can skip ambiguous characters for easier entry.
Why do some sites limit password length?
A short maximum (like 16 or 20 characters) is sometimes a sign the site stores passwords in a fixed-size field or handles them insecurely. Use the longest length the site allows, keep that password unique, and enable two-factor authentication where possible.