How Long Should a Password Be? What the Experts Actually Say
The answer used to be "8 characters." That recommendation is now considered dangerously outdated. Here is what current security research, government guidelines and real-world cracking speeds tell us — including specific length targets by account type.
The short answer
For most accounts: 16 characters minimum. For high-value accounts (email, banking, password manager): 20+ characters. If a service allows longer passwords and you are storing the credential in a password manager, there is no practical reason not to use 30 or more.
These numbers assume a randomly generated password. A longer human-chosen password that follows predictable patterns can be far weaker than these figures suggest.
Why 8 characters is no longer enough
In 2003, security researcher Bill Burr published the guidelines that would define corporate password policy for the next 15 years: 8 characters minimum, at least one uppercase, one number, one symbol. He has since said he regrets writing them.
The problem is that cracking speeds have increased dramatically. In 2003, a high-end desktop computer could test millions of password combinations per second. Today, a mid-range gaming GPU can test billions per second. Purpose-built cracking rigs running multiple GPUs can test hundreds of billions per second. An 8-character password, even a complex one, can now be cracked in hours to days — sometimes minutes, depending on the hashing algorithm used to store it.
The maths is straightforward. An 8-character password drawn from 94 possible characters has 6.1 quadrillion possible combinations (94⁸). At 100 billion guesses per second, exhausting every possibility takes about 17 hours. That is the worst case for the attacker — most attacks use smarter methods and crack common passwords much faster.
What the numbers look like at different lengths
Using a full 94-character set (uppercase, lowercase, numbers, symbols) and an attack speed of 100 billion guesses per second:
- 8 characters — ~17 hours to exhaust all combinations
- 10 characters — ~184 days
- 12 characters — ~4,600 years
- 16 characters — ~1.2 billion years
- 20 characters — more combinations than atoms in the Earth
Each additional character does not add a fixed amount of protection — it multiplies it by the character set size. This is why length has such outsized impact compared to adding another character type.
What NIST actually recommends
NIST's Special Publication 800-63B (updated in 2024) represents the most widely cited government guidance on password security. The key recommendations relevant to length:
- Minimum password length should be 8 characters for user-chosen passwords (but NIST notes this is a floor, not a target)
- Systems should allow passwords of at least 64 characters in length
- Length is the primary driver of password strength — NIST explicitly de-emphasises mandatory complexity rules
- Password rotation (forced periodic changes) is discouraged unless there is evidence of compromise
The practical takeaway from NIST is that the industry got the priorities backwards: we focused on complexity requirements that were annoying and marginally useful, while under-emphasising length, which has the largest actual impact on security.
Recommendations by account type
| Account type | Recommended length | Why |
|---|---|---|
| Password manager master password | 5+ random words (passphrase) | Needs to be memorisable; a passphrase balances security with recall |
| Email account | 20+ characters | Email is the recovery route for almost every other account — it is the highest-value target |
| Banking and financial | 20+ characters (if allowed) | Many banks cap password length; use the maximum they allow |
| Social media | 16+ characters | Account takeover can enable targeted scams against your contacts |
| Shopping / e-commerce | 16+ characters | Often stores payment details; breach risk is moderate to high |
| Low-value accounts (newsletters, forums) | 16 characters | Still worth a unique password to prevent credential stuffing reaching other accounts |
When length is not the only answer
Length assumes the password is truly random. A 30-character passphrase made from words you chose yourself — your pet's name, your street, a favourite quote — may have far lower effective entropy than a 16-character random password, because pattern-based attacks will find it faster.
Length also does not protect against phishing (which captures your correct password) or against weak storage on the server side (which may allow your password to be cracked regardless of its strength). Two-factor authentication and unique passwords across accounts address risks that length alone cannot.
Generate a password at exactly the length you need
Use the length slider to set anywhere from 6 to 64 characters. We default to 16 — bump it to 20 or more for anything important.
Open Password GeneratorCracking time estimates are illustrative and based on specific assumed attack speeds. Real-world times vary significantly based on hardware, hashing algorithm and attack method.