How Long Should a Password Be in 2026?
The "8 characters" rule was written for 1990s hardware. Since then, cracking speeds have increased by several orders of magnitude, breach databases have grown to billions of entries, and credential attacks have become fully automated. The question of password length has a real answer in 2026, and it's longer than most people think.
Why length is the most important variable
Password strength isn't primarily about complexity — it's about the size of the search space an attacker has to cover. Every character you add multiplies that space. A 16-character password isn't twice as hard to crack as an 8-character one. It's exponentially harder.
Substitutions like replacing "a" with "@" or "e" with "3" add almost nothing. Attackers run those transformations automatically. The substitution patterns are baked into every serious cracking toolkit and wordlist. Length is the variable that actually scales.
What current guidance says
NIST updated its digital identity guidelines in 2024 (SP 800-63B). The key points for length:
- Minimum: 8 characters (for most contexts)
- Recommended: 15 or more characters
- Maximum: systems should allow at least 64 characters
- Complexity requirements are no longer recommended — they often push users toward predictable patterns
The recommendation to drop mandatory complexity rules is significant. NIST found that forcing users to include symbols, numbers, and mixed case consistently produces passwords like P@ssw0rd1! — which looks complex and cracks quickly because attackers know the patterns.
The paradox: complexity requirements often make passwords weaker in practice, because they push users toward the same substitution patterns that cracking dictionaries already cover.
A practical length guide by account type
| Length | Where it stands | Verdict |
|---|---|---|
| 8 chars | The old minimum. Fine for low-value accounts with MFA. Completely inadequate for any account that holds real data or money. | Too short |
| 12 chars | Better, but still reachable with modern hardware if the password follows predictable patterns. Only safe if fully random. | Marginal |
| 16 chars | The practical minimum for important accounts in 2026. A fully random 16-character password is computationally out of reach for most attackers. | Good |
| 20+ chars | What to use for your most critical accounts: email, password manager, banking. A passphrase of 4-5 words lands in this range naturally. | Strong |
The passphrase case: long without effort
A passphrase is 4-6 random words joined by a separator. It typically produces a 20-30 character password. It's easy to type. And the search space is large enough that brute-force attacks become impractical even with significant hardware.
The key word is random. Words you choose yourself cluster around common vocabulary and personal associations. Use a generator that pulls from a large wordlist with a proper random source — not something you invent.
Example: a 5-word passphrase from a 7,776-word list (standard Diceware) has roughly 65 bits of entropy. That's strong by any current measure.
When length matters less
Length matters most when an attacker can run offline cracking against a stolen password hash. If they have the hash, they can test billions of guesses per second without any lockout. That's the worst-case scenario your password needs to survive.
With strong multi-factor authentication in place, online attacks are rate-limited. An attacker can't try billions of guesses against a login form. In that environment, a shorter but unique password is much less of a risk than a short, reused password with no MFA.
The order of priority: unique first, long second, complex last.
What most people actually need to do
- Use a password manager and let it generate passwords of 20+ characters for every account. You don't need to remember them.
- Use a passphrase for the small number of passwords you actually type from memory: your manager's master password, your email, your device login.
- Enable MFA on every account that offers it, especially email and financial accounts. Length matters much less when MFA is in place.
- Never reuse passwords. A 30-character password reused across sites is still a single point of failure.
The short answer: 16 characters minimum for everything, 20+ for critical accounts, random or passphrase for both. If you're using a password manager, set the default generation length to at least 20 and forget about it.