Security

Letters-Only Password Generator

Generate random passwords using only letters (A-Z, a-z). No digits, no symbols. For systems requiring alphabetic-only input. Free, browser-based, no signup.

About this letters-only password generator

Certain systems restrict passwords to letters only — no digits, no symbols. This is common in older mainframe environments, some educational platforms, and systems where the password must be spoken aloud (phone support verification codes, for example). With 52 possible characters (26 uppercase + 26 lowercase), each character contributes ~5.7 bits of entropy. A 16-character letters-only password provides ~91 bits of entropy — strong enough for most purposes. For maximum security within this constraint, always use both uppercase and lowercase letters and generate randomly rather than choosing words. This generator defaults to 16 characters with both cases enabled and all other character types disabled.

The entropy mathematics of letters-only passwords

Letters-only passwords draw from a character set of 52 characters when both cases are available (26 uppercase A-Z plus 26 lowercase a-z). Each character contributes log₂(52) ≈ 5.7 bits of entropy. Compare this to the full printable ASCII set of 95 characters, which provides ~6.57 bits per character. The difference is about 0.87 bits per character — roughly 14 bits over a 16-character password. To compensate for this reduction, simply add two or three characters to your target length. A 16-character letters-only password provides ~91 bits, while an 18-character letters-only password provides ~103 bits — comparable to a 16-character password with full complexity. If only one case is permitted (uppercase or lowercase only), the set shrinks to 26 characters and entropy per character drops to ~4.7 bits. A 20-character single-case password provides ~94 bits — adequate, but requiring four or five extra characters compared to a mixed-case password of equivalent strength.

Where letters-only passwords are required

The constraint to letters-only input arises in specific technical and practical contexts. Phone verification systems that require spoken-aloud codes eliminate digits and symbols because they can be misheard — "I" versus "1", "O" versus "0", and special characters have no standard verbal form. Legacy mainframe and midrange systems (particularly IBM AS/400 and some COBOL-based applications) were designed with character set limitations reflecting their era. Some voice-activated systems require alphabetic-only input because speech recognition handles letters more reliably than numbers or symbols in constrained vocabularies. Educational platforms for young children sometimes limit to letters because children learn the alphabet before learning to type digits and find symbols difficult to locate. International business systems may restrict to Latin letters to avoid encoding issues with special characters across different regional keyboard layouts and operating system configurations.

Verbal communication of passwords

One of the primary reasons to choose a letters-only password is when the credential must be communicated verbally — over the phone, in a meeting, or dictated for someone else to type. Numbers can be confused with letters (zero with "oh", one with "el"), and symbols are entirely ambiguous without agreed-upon terminology. Letters, particularly with case specified, communicate more reliably. The standard approach for verbal password communication is to specify the case before each letter: "capital K, lowercase v, capital R..." This is slow but unambiguous. For faster verbal communication, the NATO phonetic alphabet (Alpha, Bravo, Charlie...) eliminates ambiguity entirely: "Kilo-victor-romeo-papa..." reduces transcription errors significantly. If you regularly need to communicate passwords verbally — for helpdesk support, onboarding, or guest access — a letters-only password is a practical choice that avoids symbol ambiguity at the cost of slightly lower entropy per character.

Letters-only passwords in legacy enterprise systems

Many enterprise systems retain character restrictions that originated in technical constraints from the 1970s–1990s. IBM mainframes running z/OS use an EBCDIC character encoding that has a different code page than ASCII, and special characters may map to different or undefined values across EBCDIC variants. AS/400 systems (now IBM i) have similar historical constraints. Early relational databases stored passwords in fixed-length character fields that were designed for standard alphanumeric input. Kerberos authentication in some configurations had issues with non-ASCII characters in passwords, leading to letters-only policies for cross-system compatibility. SAP enterprise software has historically had inconsistent support for special characters across different module versions and database backends. When integrating with any legacy system and encountering a letters-only restriction, the appropriate response is to maximize length — a 20-character letters-only password is more than adequate for enterprise use cases where the principal threat is credential stuffing and phishing rather than brute force.

Maximizing security within the letters-only constraint

Given that you cannot use the full character set, several strategies maximize security within the letters-only constraint. First, use both uppercase and lowercase — never use a single case unless the system forces it, as the entropy difference is significant. Second, maximize length: aim for 18-20 characters at minimum, and use 24+ characters if the system allows it and the credential is stored in a password manager. Third, ensure true randomness — the biggest risk with letters-only passwords is that users choose word patterns, names, or meaningful phrases, all of which have dramatically lower effective entropy than random character sequences. A random 16-character letters-only password like "KvRpMnXtLwBsQfJd" is exponentially stronger than the word-based "CorrectHorseBattery" despite being the same length, because dictionary attacks can find word patterns in seconds. Fourth, if the system enforces single case only, prioritize length even more aggressively — a 24-character single-case password provides ~113 bits of entropy, equivalent to a 20-character mixed-case password.

FAQ

Common questions

How long should a letters-only password be?

At least 16 characters to reach ~91 bits of entropy. If only one case is allowed (e.g., uppercase only), increase to 20+ characters to compensate for the reduced character set (26 vs 52 characters).

Is a letters-only password weaker than a mixed one?

Per character, yes — 5.7 bits vs 6.57 bits. But a 16-character letters-only password (~91 bits) is still stronger than a 12-character mixed password (~79 bits). Length compensates for character set limitations.

Why would a system restrict to letters only?

Phone verification codes meant to be spoken aloud, legacy mainframe systems, some educational platforms, and systems where special characters cause encoding issues in the underlying database.

Should I use uppercase and lowercase?

Always, if the system allows it. Using both cases doubles the character set from 26 to 52, adding ~1 bit of entropy per character. That is a significant improvement over the same length with one case.

Can a letters-only password resist dictionary attacks?

Only if it is randomly generated — never derived from words. A random string like "KvRpMnXtLwBsQfJd" contains no words and defeats dictionary attacks entirely. Any word, name, or phrase — even in unusual casing — is vulnerable to dictionary-based attacks.

What is the entropy of a 20-character letters-only password?

With 52 characters (26 uppercase + 26 lowercase), each character provides ~5.7 bits. A 20-character password provides ~114 bits of entropy — well above the 80-bit threshold considered strong for most use cases and comparable to a 17-character full-complexity password.

Are letters-only passwords suitable for a password manager master password?

Yes, if long enough (18-20+ characters). A 20-character random alphabetic password (~114 bits) is strong enough. The lack of symbols and numbers is a minor trade-off for easier typing, which matters for a password typed frequently on varying keyboards.

What is the uppercase-only character set entropy per character?

Uppercase only (26 characters) provides log₂(26) ≈ 4.7 bits per character. A 20-character uppercase-only password provides ~94 bits — adequate but noticeably weaker than mixed-case. Always use both cases unless the system forces uppercase only.