Security
20 Character Password Generator
Generate strong 20-character passwords instantly. 20 characters with mixed types gives ~131 bits of entropy — effectively uncrackable. Free, browser-based, no signup.
About this 20 character password generator
A 20-character random password with uppercase letters, lowercase letters, numbers, and symbols provides approximately 131 bits of entropy. To put that in perspective: even if every computer on Earth attempted a trillion guesses per second, cracking it would take longer than the current age of the universe. The NIST Digital Identity Guidelines recommend at least 15 characters for general accounts — 20 characters gives you a significant safety margin above that threshold. Twenty characters is also the sweet spot between security and usability: long enough to be essentially uncrackable, short enough to copy-paste or type without excessive effort. This generator defaults to exactly 20 characters with all four character sets enabled, producing the highest-entropy output this length allows.
Understanding 131 bits of entropy
When we say a 20-character password with all character types has approximately 131 bits of entropy, we mean there are 2^131 possible passwords — roughly 2.7 × 10^39 combinations. To appreciate this scale, consider that the estimated number of atoms in the observable universe is about 10^80. If every atom in the solar system were a supercomputer performing a trillion password guesses per second, testing all combinations would still take longer than the current age of the universe. This is not a theoretical exercise — it means that brute-force attacks against a properly generated 20-character random password are not merely difficult but physically impossible with any computing technology that obeys the laws of thermodynamics.
Why 20 characters hits the sweet spot
Password length involves a trade-off between security and usability. Eight characters is demonstrably too short — modern GPUs crack 8-character passwords in hours. Twelve characters is adequate but provides no margin for future advances in computing. Sixteen characters is strong but sometimes truncated by older systems without warning. Twenty characters provides 131 bits of entropy — well above the 128-bit threshold that the cryptography community considers secure for the foreseeable future, including against quantum computing attacks using Grover algorithm (which would halve the effective entropy to approximately 65 bits, still requiring centuries to brute-force). At the same time, 20 characters is short enough to copy-paste without difficulty and fits comfortably in any password field.
NIST guidelines and password length recommendations
The National Institute of Standards and Technology (NIST) publishes the most widely referenced password guidelines through Special Publication 800-63B. The current revision recommends that systems accept passwords of at least 64 characters and require a minimum of 8 characters. However, NIST explicitly notes that longer passwords are exponentially more secure and that users should be encouraged to use passwords well above the minimum. The European Union Agency for Cybersecurity (ENISA) recommends at least 14 characters for personal accounts. Microsoft recommends at least 12 characters for consumer accounts and 14 or more for organizational accounts. A 20-character random password exceeds every major guideline by a significant margin, future-proofing your security against evolving recommendations.
When to use more than 20 characters
Twenty characters is sufficient for virtually every personal and business account, but there are specific use cases where longer passwords provide meaningful additional value. Encryption key passphrases (full-disk encryption, file encryption) benefit from 32 or more characters because they protect data at rest that may be attacked offline for years. API keys and service account passwords should use 32-64 characters because they are never typed manually and the additional length costs nothing in usability. Database connection passwords should be at least 32 characters because a database breach exposes every record in the system. Root and administrator accounts for infrastructure should use the maximum length the system accepts. For everything else — email, social media, banking, shopping, streaming — 20 characters with all types is more than sufficient.
Password length vs complexity: what matters more
A common misconception is that adding symbols makes a short password strong. In reality, length contributes far more to password security than character set complexity. A 20-character password using only lowercase letters (a-z) has approximately 94 bits of entropy — stronger than a 12-character password using every character type (~79 bits). Each additional character multiplies the total combinations by the size of the character set, while adding a new character type only increases the per-character entropy by a fraction. The ideal approach is to maximize both: use all character types AND maximize length. But if forced to choose, a longer alphanumeric password beats a shorter complex one every time. This is why NIST now emphasizes password length over complexity requirements in their latest guidelines.
Related presets
FAQ
Common questions
How secure is a 20-character password?
A 20-character password using all character types has approximately 131 bits of entropy. At 10 billion guesses per second (a high-end GPU attack), cracking it would take around 10²⁰ years — effectively impossible with any foreseeable technology.
Is 20 characters enough for all accounts?
Yes — 20 characters exceeds the NIST recommendation of 15 characters and is sufficient for any current use case including banking, email, and cloud storage. For extremely sensitive accounts, you can go up to 32 or 64 characters.
Do all websites accept 20-character passwords?
Most modern websites accept passwords up to 64 characters (NIST recommendation for maximum length). Some older systems have lower limits — typically 32 or 20 characters. If a site rejects your password, try reducing to 16 characters first.
What is the entropy of a 20-character password?
With 95 printable ASCII characters available (uppercase, lowercase, digits, symbols), each character contributes log₂(95) ≈ 6.57 bits of entropy. 20 characters × 6.57 = ~131 bits total.
Should I use 20 characters or a passphrase?
A 20-character random password is stronger per character but impossible to memorize. Use it for any password stored in a manager. Use a passphrase only for the few passwords you must type manually — like your password manager master password.
Is a 20-character password safe from quantum computers?
Yes. Grover's algorithm — the best known quantum attack against symmetric key search — halves the effective bit strength. A 131-bit password would still have ~65 bits of effective quantum security, which remains computationally infeasible to brute-force.
How does 20 characters compare to AES-128 encryption?
AES-128 uses a 128-bit key. A 20-character password with all types provides ~131 bits of entropy — slightly stronger than AES-128. Both are considered secure for the foreseeable future by the global cryptography community.
Can I use a 20-character password for my password manager master password?
You can, but since you need to type it from memory, a 5-6 word passphrase may be more practical. If you can reliably memorize a 20-character random string, it provides excellent security for a master password.
More in Security