8 characters password generator
Legacy minimum
The 8-character password is the historical minimum across most systems — and now widely considered the floor, not a target. It satisfies the legacy Cyber Essentials path only when paired with a common-breach blocklist. Use 8-character passwords only when a system genuinely refuses anything longer.
10 characters password generator
Common form-default
A 10-character password sits awkwardly between "obvious legacy" and "modern compliant" — many websites still default to a 10-character minimum, but it doesn't meet the UK Cyber Essentials v3.3 12-character rule. Useful for older systems and consumer-grade accounts where you can't go higher.
12 characters password generator
Cyber Essentials minimum (with MFA)
The current UK Cyber Essentials v3.3 minimum for user accounts where MFA is enforced. A 12-character password drawn from upper, lower, numbers, and symbols offers ~78 bits of entropy — strong enough that brute-force is computationally infeasible without compromising the system itself.
14 characters password generator
Cyber Essentials minimum (without MFA)
The Cyber Essentials minimum where multi-factor authentication is not technically possible. Also a sensible default for any account you store in a password manager — adding two more characters costs nothing in usability and gives you a buffer if requirements tighten.
15 characters password generator
NIST recommended baseline
The 15-character mark crosses an old technical threshold related to legacy Windows LM hashing — passwords longer than 14 characters are not stored in the weaker hash format. Modern Windows doesn't use LM hashes anyway, but 15 remains a common policy choice for that historical reason.
16 characters password generator
Modern strong default
A practical default for accounts that matter — bank logins, email, work systems. 16 characters from a full character set produces around 105 bits of entropy, comfortably beyond what current or near-future computing can brute-force. Easy to copy, paste, and store in any password manager.
20 characters password generator
High-security accounts
For accounts where compromise would be high-impact: domain administrator, Cloudflare API tokens, AWS root credentials, password manager master passwords. 20 random characters is overkill for everyday accounts but the right call for the keys to your kingdom.
24 characters password generator
Encryption keys
A common length for non-interactive secrets: encryption keys, API tokens, signing secrets. Long enough that brute-force is meaningless, short enough that it still fits comfortably in environment variables and CI/CD secret stores.
32 characters password generator
Service accounts and secrets
The standard for service account credentials and high-entropy secrets. At 32 random characters you have ~210 bits of entropy — well above any practical attack threshold, including against quantum-era algorithms for symmetric secrets.
Whatever the length, store it in a password manager
A 32-character password is useless if it's in a Notes app. Disclosure: the links below are affiliate links — we may earn a small commission at no extra cost to you.
Quick reference: which length when?
- 8 chars: legacy systems only — not Cyber Essentials compliant on its own.
- 10 chars: consumer accounts that won't accept longer.
- 12 chars: UK Cyber Essentials minimum (with MFA). Use the dedicated CE tool →
- 14 chars: Cyber Essentials minimum (without MFA), or comfortable everyday default.
- 15 chars: historical NIST baseline, still used by some policy templates.
- 16 chars: sensible default for accounts you actually care about.
- 20 chars: admin / privileged accounts.
- 24 chars: API tokens, signing keys.
- 32 chars: service accounts, encryption keys, vault master passwords.