How Long Should a Password Be in 2026?

·6 min read

The short answer: 16 characters minimum for anything that matters, 20+ for accounts you can never afford to lose (email, banking, crypto). This post explains why the number went up, what "strong" actually means in 2026, and gives you a rulebook you can copy-paste.

Why the recommended length keeps rising

Password strength is measured in entropy — the number of guesses an attacker needs to make on average. Every added character multiplies the search space. What changes year over year isn't the math; it's the attacker's hardware.

A single modern GPU (2026 consumer cards, Hashcat with -m 22000) can attempt tens of billions of NTLM hashes per second, and cheap cloud clusters push that into the trillions. Anything an old blog post called "safe" in 2015 is now trivially crackable if the site leaks its hash database.

2026 rulebook

  • Throwaway account, forum signup: 12 characters, random.
  • Real account you'd care about losing: 16 characters, random, mixed case + digits + symbols.
  • Primary email, banking, password manager master password: 20+ characters, or a 6–7 word Diceware passphrase.
  • Cryptocurrency wallet or seed backup: generate the wallet's own recovery phrase and store it offline. Don't invent your own.

Random string vs passphrase

Both work if they have enough entropy. A random 16-character string from a full alphabet (~95 printable ASCII) has about log₂(95¹⁶) ≈ 105 bits of entropy. A six-word Diceware passphrase has about log₂(7776⁶) ≈ 77 bits — still comfortably beyond any offline attack, and dramatically easier to type.

Rule of thumb: if you'll ever type it on a phone, use a passphrase. If a password manager will type it for you, use a random string.

What makes a password weak

  • Reuse. The biggest single failure mode. One breach compromises every account with the same password.
  • Personal details. Birthdays, pet names, sports teams — all in every wordlist.
  • Predictable substitutions. P@ssw0rd is not stronger than Password. Attackers apply leet-speak rules automatically.
  • Short length. 8 characters, even fully random, falls in hours on a rented GPU.

Turn on 2FA anyway

Length matters most when a site's database leaks. It matters much less when the attacker just tries to log in through the front door — that's what rate limits and multi-factor authentication are for. A 20-character password behind hardware-key 2FA is the current gold standard for a personal email or password manager.

Generate one now

Our Password Generator creates cryptographically random passwords of any length, right in your browser. Nothing is sent to a server, nothing is logged, and the output is regenerated on every keystroke.

Keep reading