Password for
Gmail
Gmail accepts a minimum of 8 characters and supports the full printable ASCII range — uppercase, lowercase, numbers and symbols — but 8 is far too weak for an account that is the recovery address for almost everything else you use. The practical recommendation in 2026 is a 16-character random string drawing from all four character classes, giving roughly 105 bits of entropy and making any offline brute-force attack take longer than the universe has existed. Generate one below — it is created inside your browser using the Web Crypto API and never sent to a server. Pair the new password with Google's two-step verification (an authenticator app, a passkey or a hardware security key, not SMS) and you have closed the two main account-takeover vectors at once: credential stuffing from breached sites, and SIM-swap attacks against phone-based factors.
guesses / second
Gmail password rules
A strong, unique password combined with two-factor authentication is your best protection against account takeovers.
Google reports over 1.8 billion active Gmail accounts, and Gmail is the recovery channel for an enormous share of the wider internet — change a password on most major sites and the reset email goes here. The maths underlines why this matters. A standard 8-character mixed-case alphanumeric Gmail password — Google's enforced minimum — gives around 47 bits of entropy, which a modern GPU cluster can exhaust in days when offline against a leaked hash. Raise the length to 16 characters with symbols and you reach roughly 105 bits — comfortably above the NIST SP 800-63B recommendation of 80 bits for high-value accounts, and out of reach of any current or near-future commodity attack.
Why Gmail accounts are targeted
Gmail is the prize at the top of almost every attacker's wish list because owning the inbox usually means owning every other account that uses it for password resets. The dominant attack is credential stuffing — attackers replay credentials harvested from unrelated breaches like LinkedIn 2012 or Collection #1, which Google itself acknowledges affect roughly 1.5% of all sign-ins. Targeted phishing is the second vector: convincing fake login screens, sometimes paired with reverse-proxy tools that bypass SMS two-factor. A unique random password generated locally defeats credential stuffing entirely, and pairing it with a passkey or hardware security key closes the phishing route too.
Source for Gmail's password rules: Gmail's official help page.
Common questions about Gmail passwords
Related password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.