How Long Should a Password Be in 2026?

The short answer: at least 16 characters for important accounts, and longer if you can. The longer answer is more interesting, because once you understand why, you will never go back to eight-character passwords.

Why length wins

Every character you add multiplies the number of possible combinations an attacker must try. This is exponential growth, and exponential growth is brutal. A password drawn from lowercase letters has 26 possibilities per character. Add one character and you multiply the total by 26. Add five and you multiply it by nearly 12 million.

Complexity — mixing in symbols and numbers — increases the possibilities per character, but only linearly compared to the explosive effect of adding length. That is why a long passphrase beats a short, symbol-heavy password almost every time. We unpack the math in what is password entropy, and you can measure any password yourself with the password entropy calculator.

What the numbers look like

Modern attackers can try enormous numbers of guesses per second, especially against leaked password databases where the protection is weak. The practical implication:

• 8 characters: crackable quickly, even with symbols. Treat as insecure.
• 12 characters: much better, but still within reach for high-value targets.
• 16 characters: strong for almost everyone, especially as a random string or passphrase.
• 20+ characters: comfortable margin for your most sensitive accounts.

These are rules of thumb, not guarantees — actual cracking time depends on how the site stored the password and whether it used predictable patterns. The point is the direction: more length, more safety, with rapidly diminishing risk.

Length is free when you use a manager

The usual objection is "I can't remember a 20-character password." You are right, and you should not try. A password manager generates and stores long random passwords so you never type or memorize them. The only password you need to remember is your one master password, which can be a long passphrase you actually find memorable.

On a Mac, Passlock stores these long passwords in the native Keychain and keeps everything offline, so length costs you nothing in convenience.

When sites limit your length

Some older sites cap password length at, say, 16 or 20 characters, or ban certain symbols. Use the maximum they allow. A 16-character random password is still excellent. If a site limits you to something absurdly short, that is a warning sign about how seriously they take security — enable two-factor authentication there and never reuse that password.

The simple rule to remember

Pick length over cleverness. A random 16-character password or a six-word passphrase will outlast almost any "complex" eight-character password you could invent. Generate it with the secure password generator, store it in a manager, and move on with your day.