Security guide
How Long Should a Password Be?
Learn when to choose 12, 16, 20, or 32 characters and why password length, uniqueness, and storage matter more than visual complexity.
Summary
For most modern accounts, 16 random characters is a strong practical baseline. Use 20 or more for important personal, email, banking, work, or admin accounts. Use 32 characters when the password will be stored in a manager and protects high-value access.
Try the 16 character, 20 character, or 32 character generators.
Length bands
Short passwords are easier to guess because there are fewer possible combinations. Six to nine characters is normally too short for account security. Ten to fourteen characters may be accepted by many services, but should not be treated as the preferred destination for important accounts.
Sixteen random characters is a good default when a password manager stores the value. Twenty characters adds margin while remaining compatible with many sites. Thirty-two characters is useful for admin panels, encrypted files, database credentials, and local secrets.
Random length versus human length
A random 16-character password is very different from a human-made 16-character phrase. Human choices often include words, dates, names, and predictable endings. Attackers test those patterns before attempting blind brute force.
Practical recommendations
- Use 16 characters as a normal baseline.
- Use 20–32 characters for high-value accounts.
- Use a passphrase if memorability matters.
- Use no-symbol or no-ambiguous presets only when compatibility requires them.
- Never reuse a password just because it is long.
Detailed guidance
This guide focuses on choosing password length for different account risks. It is written for readers comparing 12, 16, 20, 24, and 32 character choices, so the practical goal is not to create a dramatic security claim. The goal is to choose a password habit that can survive everyday use: sign-in forms, password managers, mobile keyboards, account recovery, shared devices, and the occasional service with strange validation rules. A secure recommendation is only useful if a real person can follow it consistently.
The safest starting point is randomness plus uniqueness. Randomness means the value is selected from a large space by a cryptographically suitable random source, not invented from a birthday, a pet name, a keyboard pattern, or a favorite quote. Uniqueness means the same password is not used anywhere else. A password that is long but reused can fail quickly after one unrelated breach, while a unique random password limits the damage to the single account where it was used.
For this topic, a practical preset is 16 characters for ordinary accounts, 20 or more for important accounts, and 32 for secrets that are stored rather than typed. You can apply that preset with the 32 character password generator and then store the final value in a trusted password manager. PwdGen generates values locally in the browser with Web Crypto; the generated password is not sent to a PwdGen server. That local design reduces server-side exposure, but it does not protect against every threat. A malicious browser extension, a compromised device, a phishing page, or unsafe clipboard handling can still expose a secret after it is generated.
The most common problems to avoid are short random values, maximum length limits, legacy forms, and assuming a fixed number is safe for every system. These problems matter because attackers rarely need to brute-force every possible password when human habits give them a shortcut. Credential stuffing, phishing, leaked password lists, and account-recovery abuse are often more realistic than a pure mathematical search. That is why the best advice combines password quality with account-level controls such as MFA, passkeys, recovery-code storage, and regular review of recovery email or phone settings.
Use this checklist when applying the recommendation:
- Use more length when symbols are not allowed.
- Check destination maximum length before saving.
- Avoid shortening passwords for convenience.
- Use passphrases when memorization matters.
If a website rejects the ideal setting, do not force the password into a weaker pattern by hand. Adjust one variable at a time. If symbols are rejected, keep uppercase, lowercase, and numbers enabled and increase length. If a maximum length is low, use the largest accepted length and make sure the value is unique. If a password must be read aloud, printed, or typed on a television or router screen, consider excluding confusing characters and increasing the length to compensate for the smaller alphabet.
Finally, remember the boundary of password advice. A strong password is one layer of defense, not a guarantee. It cannot make a phishing page safe, fix malware, or compensate for a service that stores credentials poorly. The useful habit is boring but durable: generate a unique value, store it safely, protect the recovery path, and replace it quickly if you suspect exposure.
Frequently asked questions
Is 12 characters enough?
A random 12-character password can be useful for compatibility, but 16 or more is a better default when the service accepts it.
When should I use 20 or 32 characters?
Use 20 or more for important accounts and 32 for admin, encrypted-file, or developer-secret workflows stored in a password manager.
Can a password be too long?
Some services impose maximum lengths or reject symbols. Use the longest unique random value the destination accepts.