Passwords guard almost everything we do online—email, banking, social media, cloud storage, developer platforms, and more. Choosing the right length (and composition) for a password is one of the simplest ways to improve security without changing your daily workflow too much.
This article explains how long a password should be, why length matters, what leading standards bodies recommend, and how to create strong, unique passwords that are easy to manage.
What is a strong password?
A strong password is one that’s hard for attackers to guess or compute. Strength comes from two main ingredients:
- Length: more characters dramatically increase the number of possible combinations.
- Unpredictability: randomness and avoiding common patterns or personal information.
When those two factors are present, passwords resist brute-force attacks (systematically trying combinations), dictionary attacks (trying common words and patterns), and many automated cracking techniques.
Minimum password length: aim for 16 characters (or more)
Security experts consistently emphasize length. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends choosing passwords that are “Long—at least 16 characters long (even longer is better).” You can read their guidance here: https://www.cisa.gov/secure-our-world/require-strong-passwords
The National Institute of Standards and Technology (NIST) takes a similar stance in its Digital Identity Guidelines, highlighting that password length is a primary factor in characterizing password strength and that users should be encouraged to create longer passwords where practical. See: https://pages.nist.gov/800-63-4/sp800-63b.html
In practice, 14 characters should be considered a lower bound, while 16+ characters is a better default. For particularly sensitive or long-lived accounts, going even longer is beneficial—provided the site allows it and you can store the password securely.
Is the longest password always best?
Longer is almost always stronger against brute force. But there are a few practical considerations:
- Site limits: Some services cap maximum length or restrict certain characters. When that happens, use the longest length allowed with high randomness.
- Usability: If you are typing passwords on small devices or in constrained environments, extremely long strings might be cumbersome—unless you use a password manager to auto-fill.
- Threat model: For accounts with strong rate limiting and multi-factor authentication (MFA), going beyond 20–24 characters may have diminishing returns compared to enabling MFA and ensuring uniqueness.
Bottom line: Use the longest, most random password that fits the site’s policy and your workflow—then add MFA where available.
Do I need numbers, capitals, and special characters?
Many sites require a mix of character sets (lowercase, uppercase, digits, symbols). Including multiple sets generally increases search space and hinders guessing attacks. However, “complexity rules” are less important than length and randomness. A 20-character random password using just letters can be stronger than an 8-character string that mixes every character type.
If a site enforces composition rules, let your password manager generate a random password that satisfies them. If it does not, prioritize length and randomness over forced complexity.
The four character sets often referenced are:
- Digits (0–9)
- Lowercase letters (a–z)
- Uppercase letters (A–Z)
- Symbols (e.g., ! $ % & ? # @)
Randomness: the key to real strength
Length alone isn’t enough if the password follows predictable patterns. Avoid:
- Keyboard walks like
1qaz2wsxorqwertyuiop - Common words and phrases (even very long ones)
- Personal information (names, dates, addresses)
Two great ways to get randomness you can live with:
- Random passwords: Let a password generator create 16–24 character strings that include multiple character sets. Store them in a password manager so you never have to memorize them.
- Passphrases: Use 4–6 randomly selected words (not a common quote or song lyric). Random word passphrases like
tunnel-magnet-silk-oxygen-duetcan be both lengthy and more memorable. Add separators and, if allowed, a symbol or number or two.
Why “very long” can still be weak
Some long strings are easy targets because they follow obvious patterns or show up in breach datasets. For example, long keyboard sequences, repeated character blocks, or widely shared "tricks" are among the first guesses modern cracking tools attempt. Length must be paired with unpredictability to be effective.
Before using a password, it's wise to ensure it doesn't appear in known breach corpora. Many password managers and security tools provide "have I been pwned" checks or similar screening. You can also use a password strength tester to evaluate your passwords.
Beyond guessing: phishing and reuse risks
Not all account takeovers involve guessing. Phishing and reuse are frequent causes of compromise:
- Phishing: Even a 30-character password can be stolen if you enter it on a fake site. Use MFA wherever possible and consider hardware security keys for high-value accounts.
- Reuse: If you reuse a password, a breach on one site can cascade to others. Unique passwords per site contain the blast radius.
Length helps against guessing, but phishing and reuse are mitigated by MFA and a password manager that makes unique credentials effortless.
Strong password best practices
- Use a password manager: Generate and store unique, random passwords for every account. This removes the need to remember them and simplifies using long strings.
- Prefer length and randomness: Aim for 16+ characters. If possible, include multiple character sets, but don’t sacrifice length to meet arbitrary rules.
- Turn on MFA everywhere: App-based TOTP, push-based authenticators, or hardware keys significantly reduce risk.
- Don’t reuse passwords: One site, one password—always.
- Avoid personal info and patterns: No names, birthdays, addresses, or keyboard paths.
- Periodically review critical accounts: Email, financial services, developer platforms, and admin consoles deserve extra scrutiny.
Managing unique, strong passwords for every account
The practical way to scale 16–24 character unique passwords across dozens (or hundreds) of sites is to use a password manager. With a manager, you can:
- Generate strong passwords tailored to each site's policy (try our password generator)
- Auto-fill to avoid mistyping (and reduce exposure to shoulder surfing)
- Sync securely across devices
- Check for reused, weak, or breached passwords (use our password strength tester)
If a site limits length or symbols, configure the generator accordingly—still prioritizing maximum length.
Quick recommendations
- Everyday accounts: 16–20 random characters
- High-value accounts (email, banking, cloud admin): 20–24 random characters + MFA
- Long-lived secrets (API keys, SSH keys): use manager storage; follow platform guidance; prefer passphrases only if truly random
Final thoughts
How long should a password be? As long as the site allows—aim for at least 16 characters—and make it random and unique. Add MFA for a strong second layer. With a password manager handling generation and storage, you can have robust security without extra cognitive load.
