TechCompare LogoTechCompare

How long should a password be? The minimum safe length in 2026

Password length is the single most important factor in password strength. An 8-character password drawn from all 95 printable ASCII characters can be brute-forced by a modern GPU cluster in hours. A 12-character password takes centuries. A 16-character password is effectively uncrackable by any known attack with current hardware. Length beats complexity every time.

Security domain
Best Practices
Practical password security advice
Topic focus
Password length guide
password-length

How this is calculated

The math: a password's keyspace is characterSetSize^length. With 95 printable ASCII characters, an 8-character password has 95^8 ≈ 6.6 × 10^15 combinations. A single RTX 5090 can test roughly 10^10 hashes per second against fast hashes like MD5 or NTLM. That's 6.6 × 10^5 seconds, or about 7.6 days for the entire keyspace, and 3.8 days on average. Against bcrypt (which is deliberately slow), the same attack would take millennia. But you don't know which hash algorithm the service uses, and many still use fast hashes. A 16-character password has 95^16 ≈ 4.4 × 10^31 combinations, taking longer than the age of the universe on any hardware. For reference, NIST SP 800-63B recommends a minimum of 8 characters for user-chosen passwords and 6 characters for randomly generated ones, but these are minimums from 2017. Modern guidance is 12 minimum, 16+ recommended.

Verdict

Use 16+ characters. Use a password manager to generate and store them so you don't have to remember them. Length is your primary defense against brute-force attacks. Complexity (mixing character types) helps, but length matters far more.

More Passwords scenarios

Passphrase vs password
passphrase-vs-password
View details ➜
Password manager guide
password-manager
View details ➜
NIST guidelines
nist-guidelines
View details ➜
Password entropy
password-entropy
View details ➜
Brute force resistance
brute-force
View details ➜
2FA vs strong password
2fa-vs-password
View details ➜
Password hashing
password-hashing
View details ➜
Password mistakes
password-mistakes
View details ➜
Biometrics vs passwords
biometrics
View details ➜
Password generators
generator-tools
View details ➜
Password reuse risks
password-reuse
View details ➜

Related guides

chmod 600 for private files
View guide ➜

Frequently asked questions

How long should a secure password be?
16 characters or more, drawn from uppercase, lowercase, numbers, and symbols. A 16-character mixed password is currently impractical to brute-force with commodity hardware, while 8-character ones can be cracked in hours by modern GPUs.
Is the generated password actually random?
Yes. The generator uses the browser's crypto.getRandomValues(), a cryptographically secure random source backed by OS entropy. The output is suitable for production password managers, API keys, and seed phrases.
Is my password saved anywhere?
No. The entire generator runs in your browser, with no network requests, no logging, and nothing stored. Close the tab and the password is gone from memory. Check your browser's Network tab to verify there are no outbound calls when a new password is generated.
What's the difference between a passphrase and a password?
A passphrase is a string of dictionary words (like "correct-horse-battery-staple"), long but memorable. A password is usually shorter with mixed character classes (like "Kx9$mQ2!pR"). Passphrases are typically stronger per character of memory effort, and this tool generates both styles.
Should I use the same password everywhere?
Never. Use a password manager (Bitwarden, 1Password, Apple Passwords) and generate a unique strong password for every site. Password reuse is the single biggest cause of account takeover. One breached service leaks the credential, and every other account using it is automatically compromised.
How often should I change my passwords?
Modern guidance (NIST SP 800-63B) says don't rotate strong unique passwords on a schedule. Only change them if you suspect compromise. Forced rotation encourages weak, incremented passwords. Strong password + password manager + 2FA is safer than any rotation policy.

Related tools

CHMOD Configurator

Calculate Linux file permissions using checkboxes, octal numbers, or symbolic notation.

Use tool ➜

Text Encoding Converter

Convert between Text, Base64, Binary, Hexadecimal, and Decimal formats.

Use tool ➜

Cron Generator

Visually build standard 5-part cron expressions or translate them into readable schedules.

Use tool ➜