How long should a password be
Use at least 16 characters for anything you care about. NIST now recommends a 15 character minimum for accounts protected by a password alone, and CISA says 16 or more. At those lengths, a truly random password is beyond any brute force attack, no matter what hardware the attacker brings.
That is the short answer. The longer answer depends on how the password was made, what it protects, and how someone would attack it. The math below covers all of that, and none of it is complicated.
What the standards actually say
NIST SP 800-63B recommends at least 15 characters when a password is the only thing protecting an account, with an 8 character floor allowed where multi factor authentication is also on. CISA recommends 16 or more characters, or a memorable passphrase of 4 to 7 unrelated words.
The current NIST SP 800-63B guidance also tells sites to accept passwords of at least 64 characters, to drop composition rules (no more "one uppercase, one digit, one symbol"), and to stop forcing scheduled password changes unless there is evidence of compromise. All three changes point the same direction: length and randomness do the work, rituals don't.
CISA's Secure Our World guidance pairs the 16 character recommendation with three other habits: use a password manager, turn on MFA, and stay alert to phishing. Length is one leg of the table, not the whole table.
The brute force math
A random 16 character password built from letters, digits, and symbols would take an offline attacker about 14 trillion years to crack at 10 billion guesses per second. An 8 character password from the same pool falls in about 2 days. Nothing else about the two passwords differs. Length alone does that.
The numbers below assume an offline attacker who stole a password database and can test 10 billion guesses per second, finding the password on average after searching half the possibilities. That is roughly the worst realistic case for you, so it is the right one to plan around.
| Length (letters, digits, symbols) | Entropy | Average time to crack |
|---|---|---|
| 8 characters | 51 bits | About 2 days |
| 10 characters | 64 bits | About 35 years |
| 12 characters | 77 bits | About 259,000 years |
| 14 characters | 90 bits | About 2 billion years |
| 16 characters | 103 bits | About 14 trillion years |
| 20 characters | 129 bits | Longer than the universe has existed |
Some sites reject symbols, so here is the same math with letters and digits only. Each character carries slightly less entropy, which mostly matters at short lengths.
| Length (letters and digits) | Entropy | Average time to crack |
|---|---|---|
| 8 characters | 48 bits | About 3 hours |
| 12 characters | 71 bits | About 5,000 years |
| 16 characters | 95 bits | About 76 billion years |
| 20 characters | 119 bits | Effectively uncrackable |
The plain reading: 8 characters is a weekend project for an attacker. 12 is out of reach today. 16 is out of reach forever. Dropping symbols from a 12 character password costs about 6 bits, roughly one character's worth, so if a site bans symbols, just go a couple of characters longer with an alphanumeric password generator and you're back to even.
One warning. These figures only apply to randomly generated passwords. A human-invented 16 character password made from a pet's name and a year gets nowhere near 103 bits, because dictionary attacks try names, dates, and common patterns first. What makes a strong password covers why randomness is the other half of the equation.
Why length beats complexity
Adding one random character multiplies an attacker's work by 86, the size of the full character pool. Swapping an o for a 0 multiplies it by roughly nothing, because every cracking tool tries those substitutions automatically. If you change only one thing about your passwords, make them longer, not fancier.
Complexity rules had a good run, but they trained everyone into the same moves: capital letter first, exclamation mark last, a for @, e for 3. Attackers encode those habits as mangling rules and apply them to entire dictionaries in seconds. "P@ssw0rd2026!" satisfies every composition checkbox ever written and falls almost instantly.
Growth by multiplication is the whole story. Going from 12 to 16 random characters doesn't add a third more security. It multiplies the search space by 86 four times over, about 55 million fold. That is why NIST removed composition requirements from its guidance rather than tightening them.
What that means for passphrases
Each word from the EFF short wordlist (1,296 words) adds about 10.3 bits of entropy. Five words is about 52 bits, six words about 62 bits, seven words about 72 bits. Five is fine for rate limited logins, six is a sound default for anything important, and seven suits offline targets like a password manager vault.
The offline crack times are about 2 days for five words, 8 years for six, and 10,000 years for seven. Those sound alarming next to the tables above, but most passphrase logins never face an offline attack. Guessing against a live login page with rate limits runs millions of times slower, so five or six words holds up well there. Three words carries only 31 bits and falls in under a second offline, so treat four words as the hard floor.
Our passphrase generator draws words using the same dice-style method the EFF wordlists were designed for. If you're weighing the two formats against each other, passphrase vs password walks through when each one wins.
Wi-Fi keys, PINs, and length caps
Wi-Fi passwords must be 8 to 63 printable ASCII characters, and 16 to 24 is the sweet spot. PINs run 4 to 8 digits but are guarded by lockouts, so the brute force tables don't apply. And a website that caps passwords at 12 or 16 characters is waving a red flag.
Wi-Fi deserves the extra length because WPA2 handshakes can be captured over the air and attacked offline at full speed. WPA3 uses SAE, which resists offline dictionary attacks, but plenty of networks still run WPA2 or mixed mode. You type the key once per device, so there is little cost to generating 16 to 24 random characters with a Wi-Fi password generator and forgetting about it.
PINs play a different game. A 6 digit PIN has only about 20 bits of entropy, which would fall instantly offline, but your phone wipes itself or adds long delays after a handful of wrong tries, so brute force never gets going. Pick a random PIN with a PIN generator instead of a birthday and the lockout does the rest.
Length caps are the reverse signal. NIST says sites should accept at least 64 characters, so a site that refuses anything past 12 or 16 may be squeezing passwords into a fixed database field or handling them in some other dated way. You can't fix their backend. Use the longest password the cap allows, and turn on MFA there if it exists.
The bottom line
Sixteen random characters is the answer for almost everyone in 2026, with 20 or more for anything an attacker could crack offline. Here is the whole article as a checklist.
- Use 16 random characters minimum for accounts that matter. The strong password generator on our homepage has one-click presets for 16, 20, and 32 characters.
- Go to 20 or more characters, or a 7 word passphrase, for a password manager master password, disk encryption, or anything else that could be attacked offline.
- Prefer a 6 word passphrase where you'll type the password by hand. Never use fewer than 4 words.
- Don't go under 15 characters on any account that lacks MFA.
- Give your Wi-Fi network 16 to 24 random characters; the standard allows up to 63.
- If a site caps password length, max out the cap and enable MFA.
- Length only counts when the password is random. Generate it, don't invent it.