PasswordCrunch.com
Password Security · 6 min read

How Long Should a Password Be? What the Experts Actually Say

The answer used to be "8 characters." That recommendation is now considered dangerously outdated. Here is what current security research, government guidelines and real-world cracking speeds tell us — including specific length targets by account type.

The short answer

For most accounts: 16 characters minimum. For high-value accounts (email, banking, password manager): 20+ characters. If a service allows longer passwords and you are storing the credential in a password manager, there is no practical reason not to use 30 or more.

These numbers assume a randomly generated password. A longer human-chosen password that follows predictable patterns can be far weaker than these figures suggest.

Why 8 characters is no longer enough

In 2003, security researcher Bill Burr published the guidelines that would define corporate password policy for the next 15 years: 8 characters minimum, at least one uppercase, one number, one symbol. He has since said he regrets writing them.

The problem is that cracking speeds have increased dramatically. In 2003, a high-end desktop computer could test millions of password combinations per second. Today, a mid-range gaming GPU can test billions per second. Purpose-built cracking rigs running multiple GPUs can test hundreds of billions per second. An 8-character password, even a complex one, can now be cracked in hours to days — sometimes minutes, depending on the hashing algorithm used to store it.

The maths is straightforward. An 8-character password drawn from 94 possible characters has 6.1 quadrillion possible combinations (94⁸). At 100 billion guesses per second, exhausting every possibility takes about 17 hours. That is the worst case for the attacker — most attacks use smarter methods and crack common passwords much faster.

What the numbers look like at different lengths

Using a full 94-character set (uppercase, lowercase, numbers, symbols) and an attack speed of 100 billion guesses per second:

Each additional character does not add a fixed amount of protection — it multiplies it by the character set size. This is why length has such outsized impact compared to adding another character type.

What NIST actually recommends

NIST's Special Publication 800-63B (updated in 2024) represents the most widely cited government guidance on password security. The key recommendations relevant to length:

The practical takeaway from NIST is that the industry got the priorities backwards: we focused on complexity requirements that were annoying and marginally useful, while under-emphasising length, which has the largest actual impact on security.

Recommendations by account type

Account type Recommended length Why
Password manager master password 5+ random words (passphrase) Needs to be memorisable; a passphrase balances security with recall
Email account 20+ characters Email is the recovery route for almost every other account — it is the highest-value target
Banking and financial 20+ characters (if allowed) Many banks cap password length; use the maximum they allow
Social media 16+ characters Account takeover can enable targeted scams against your contacts
Shopping / e-commerce 16+ characters Often stores payment details; breach risk is moderate to high
Low-value accounts (newsletters, forums) 16 characters Still worth a unique password to prevent credential stuffing reaching other accounts

When length is not the only answer

Length assumes the password is truly random. A 30-character passphrase made from words you chose yourself — your pet's name, your street, a favourite quote — may have far lower effective entropy than a 16-character random password, because pattern-based attacks will find it faster.

Length also does not protect against phishing (which captures your correct password) or against weak storage on the server side (which may allow your password to be cracked regardless of its strength). Two-factor authentication and unique passwords across accounts address risks that length alone cannot.

Set your length

Generate a password at exactly the length you need

Use the length slider to set anywhere from 6 to 64 characters. We default to 16 — bump it to 20 or more for anything important.

Open Password Generator

Cracking time estimates are illustrative and based on specific assumed attack speeds. Real-world times vary significantly based on hardware, hashing algorithm and attack method.