buncha.tools
Blog / How Long Should Your Password Be in 2026?
securitypasswordgeneratorshow-to

How Long Should Your Password Be in 2026?

May 5, 2026·4 min read

The standard password advice from 2010 — "at least 8 characters, with a number and a symbol" — was obsolete by 2018 and is now actively dangerous. A current consumer GPU cracks every possible 8-character password (mixed case + digits + symbols) in under a day. Eight is no longer secure for anything important.

The current state of password recommendations is a moving target, but the direction is clear: longer.

NIST 2024 (SP 800-63B revision)

NIST is the US standards body that publishes the federal password guidance. The most recent revision (2024) made several changes that propagate through everything from corporate IT policies to consumer security advice:

  • Minimum 8 characters for user-chosen passwords, but with strong recommendations for longer.
  • Maximum at least 64 characters allowed — sites that cap passwords at 16 are demonstrably less secure.
  • No mandatory composition rules — the "must contain a symbol, digit, uppercase" rules are out. They drove people to predictable patterns ("Password1!", "Spring2024!") that crack faster than longer random strings.
  • No periodic password change requirements unless there's evidence of compromise. Forced rotation drove worse passwords, not better ones.
  • Compare against breach corpora — reject passwords that appear in known breach datasets.

The functional summary: "let people pick long passwords, don't make them rotate, screen against breaches."

What GPU cracking actually achieves

The gap between "what guidelines recommend" and "what attackers can do" is the relevant question. Modern offline cracking benchmarks (against bcrypt-hashed passwords, the realistic attacker scenario):

  • 8 characters mixed case + digits + symbols (about 76 candidate chars per position, 76^8 ≈ 1.1 × 10^15) — single high-end GPU cracks in ~1 day. Eight RTX 4090s in parallel: hours.
  • 10 characters same alphabet (76^10 ≈ 6.6 × 10^18) — single GPU ~17 years. Eight in parallel: ~2 years. Within reach of a determined attacker.
  • 12 characters (76^12 ≈ 3.8 × 10^22) — single GPU ~110,000 years. Practical computational infeasibility unless the password is in a leaked corpus.
  • 16 characters (76^16 ≈ 1.3 × 10^30) — billions of years even for a state-level actor. Overwhelmingly safe.

These numbers assume the password is truly random across the full character set. Real-world passwords are usually closer to 4-5 effective bits per character (because they follow patterns) — multiply the time to crack by 1/1000-1/100,000 if your "12-character" password is actually "Spring2025!".

The current advice, concretely

For most online accounts in 2026:

  • 16 characters minimum for anything that holds money or identity (banks, primary email, password manager, IRS, government IDs).
  • 12-14 minimum for everything else — but only if random. If you're typing the password by memory, 16+ becomes hard, which is why a password manager matters more than length above 12.
  • Length matters more than character variety past the basics. A 20-character all-lowercase passphrase ("correcthorsebatterystaple") has more entropy than a 10-character mixed-case-with-symbols password.

The biggest single security upgrade most people can make isn't a longer password — it's a password manager. Stored passwords don't have to be memorable, so they can be 20-character random gibberish. The manager itself is then the only password you need to memorize, and that one should be long.

Generating strong passwords

Buncha's password generator creates passwords using crypto.getRandomValues() — the browser's cryptographic-grade RNG. Default 16 characters with mixed case, digits, and symbols. Adjust length up to 64; toggle character classes if a specific site has annoying restrictions ("no symbols" sites still exist, unfortunately).

The page never sees or stores generated passwords. Once you generate one, copy it into your password manager — that's the canonical home for it. Typing it from memory defeats the entropy argument.

A word about passphrases

Passphrases — multiple random words concatenated, the "correcthorsebatterystaple" approach — are an alternative that works well for the master password on a password manager. The math: 4 random words from a 7,000-word list is ~50 bits of entropy (7000^4 ≈ 2.4 × 10^15) — equivalent to about 8 random characters. 6 words gets you to 75 bits, comfortably past the practical-cracking line.

The advantage of a passphrase is memorability. The trade-off is that they're typed-friendly, not paste-friendly — for everything you store in a password manager, a 20-character random string is denser entropy per character.

TL;DR

  • 16 characters random for high-value accounts
  • 12+ for everything else, all stored in a password manager
  • Use a generator, never type a password from memory if you can help it
  • Length matters more than character variety past the basics
Try these tools for free
100+ free tools for developers, designers, writers, and students.
Browse all tools

More from the blog

WebP vs AVIF vs JPG: Which Image Format Should You Use in 2026?
8 min read
How to Convert WebP to PNG (Without an Account or Upload)
4 min read
b
Built browser-first. Run by one developer.
Every tool runs on your device. No tracking pixels, no sign-up to start. The numbers below are pulled live from the registry.
240
Free tools
Across 14 categories
7
Visual editors
PDF · image · video · audio
32
Curated kits
By profession + lifestyle
17
AI tools
Powered by Claude API
Files never uploadNo tracking pixelsNo sign-up neededWorks in any modern browser
The handful of AI tools (paraphrase, summarise, blog, captions, etc.) send your prompt text to Anthropic's Claude API to do the work. Files, images, PDFs and video never leave your device. Pick the tools that fit your privacy comfort.