Security guide

Password length guide: 10, 15, 16, or 20 characters?

Understand why this tool rates 10 characters as medium and when to choose 15, 16, or 20 or more.

Direct answer

Ten random characters may be accepted by many services, but this tool labels that length medium rather than strong. For single-factor accounts, choose at least 15 or 16 characters. Use 20 or more when compatibility allows and the credential protects especially important access.

Practical length bands

• 6–9 characters: weak and normally unsuitable for an account password.
• 10–14 characters: medium; retained here as the compatibility default, not the recommended destination.
• 15–19 characters: strong when generated randomly and used only once.
• 20–64 characters: potentially very strong with a broad random character pool.

Why exact crack-time promises are misleading

Cracking speed depends on the attacker’s hardware, the service’s password hashing, whether the attack is online or offline, rate limits, the character model, and whether the password is truly random. A single universal “time to crack” number creates false confidence.

Random and human-created passwords differ

A random 16-character value is selected from a large pool without human patterns. A human-created 16-character string may contain names, dates, keyboard paths, or reused phrases that attackers prioritize. Length still helps, but predictable structure reduces effective strength.

Service compatibility

Some services impose maximum lengths or reject particular symbols. Keep the longest unique random value the service accepts, and never weaken unrelated accounts to match the limitations of one site.