For an ordinary randomly generated account password, use 20 characters when the website permits it. That is comfortably beyond the current 15-character single-factor minimum in NIST guidance and remains easy for password managers to handle.
Quick answer: 20 random characters for most accounts; six or more random words for a master passphrase; 20–24 random characters for Wi-Fi; the longest available length for a PIN.
Why length matters
When characters are selected independently, each additional position multiplies the number of possible results. Length is therefore a reliable way to add resistance without depending on a human-created pattern.
Online account passwords
Choose 15 characters at an absolute minimum when the password is the only factor, and prefer 20 random characters as a broadly compatible default. If the website has a shorter maximum, use the full permitted length and enable MFA.
Password manager master credentials
A master credential must be both strong and something you can recover or type. A passphrase of six or more random words is often more usable than a dense random string. Follow the manager’s recommendations and secure recovery materials offline.
Wi-Fi passwords
A 20–24 character random WPA2/WPA3 password balances security with the inconvenience of entering it on televisions, printers, and consoles. Built-in device sharing can reduce manual entry.
PINs
A PIN has only ten possible characters per position. Use the longest length the device accepts, avoid dates and patterns, and rely on systems that limit failed attempts. A PIN should not replace a full online account password.
When extra length stops helping
Once a credential is randomly generated with ample margin, phishing, malware, account recovery, password reuse, and insecure server storage are usually more realistic risks than brute force. Add MFA or a passkey rather than focusing only on another ten characters.