Credential field manual · 6 min read

How long should a password be? Longer than the minimum, not longer than useful.

For an ordinary randomly generated account password, use 20 characters when the website permits it. That is comfortably beyond the current 15-character single-factor minimum in NIST guidance and remains easy for password managers to handle.

Quick answer: 20 random characters for most accounts; six or more random words for a master passphrase; 20–24 random characters for Wi-Fi; the longest available length for a PIN.

Why length matters

When characters are selected independently, each additional position multiplies the number of possible results. Length is therefore a reliable way to add resistance without depending on a human-created pattern.

Online account passwords

Choose 15 characters at an absolute minimum when the password is the only factor, and prefer 20 random characters as a broadly compatible default. If the website has a shorter maximum, use the full permitted length and enable MFA.

Password manager master credentials

A master credential must be both strong and something you can recover or type. A passphrase of six or more random words is often more usable than a dense random string. Follow the manager’s recommendations and secure recovery materials offline.

Wi-Fi passwords

A 20–24 character random WPA2/WPA3 password balances security with the inconvenience of entering it on televisions, printers, and consoles. Built-in device sharing can reduce manual entry.

PINs

A PIN has only ten possible characters per position. Use the longest length the device accepts, avoid dates and patterns, and rely on systems that limit failed attempts. A PIN should not replace a full online account password.

When extra length stops helping

Once a credential is randomly generated with ample margin, phishing, malware, account recovery, password reuse, and insecure server storage are usually more realistic risks than brute force. Add MFA or a passkey rather than focusing only on another ten characters.