PassLab
Finance

Password for
PayPal

PayPal enforces a strict 8-to-20-character window and requires a mix of uppercase, lowercase and at least one number — symbols are accepted but optional. The practical recommendation in 2026 is to use the full 20-character allowance with all four character classes, which gives roughly 131 bits of entropy and puts the password out of reach of any current brute-force attack. Generate one below — it is created inside your browser using the Web Crypto API and is never sent to a server. PayPal supports two-factor authentication via authenticator apps and security keys; enable it the same session you change the password, because PayPal accounts are a top-tier target for credential-stuffing bots that run 24 hours a day against leaked credential dumps from unrelated sites. Treat your PayPal credential at the same level as your bank password — the financial consequences of a takeover are equivalent.

Generator
min 8· max 20
StrengthVery weak · 0 bits
Time to crack
instant
at 10 billion
guesses / second
16
664
Generated with crypto.getRandomValues() — never leaves your tab.

PayPal password rules

Min length
8 chars
Max length
20 chars
Recommended
16+ chars
Security note

Financial accounts are high-value targets. Use a unique password here and enable every available security layer (2FA, login alerts, etc.).

The maths, specific to PayPal

PayPal reported around 430 million active accounts in its 2024 annual report, and unlike most consumer services, a compromised PayPal balance can be transferred to attacker-controlled accounts in minutes — meaning recovery is often a race against irreversible transfers. The maths is brutal at the lower bound. An 8-character mixed-case alphanumeric password — PayPal's stated minimum — gives around 47 bits of entropy, which a modern GPU cluster running Hashcat can exhaust in days against a leaked hash. Push to the 20-character ceiling PayPal allows, with symbols included, and you reach roughly 131 bits — twenty orders of magnitude harder to attack, and outside the realistic budget of any commodity attacker.

Why PayPal accounts are targeted

PayPal is targeted relentlessly because it is one of very few consumer accounts that translates directly into liquid cash — attackers do not have to fence stolen items or wait for a buyer. The dominant attack is credential stuffing using passwords from unrelated breaches (LinkedIn 2012, Adobe 2013, Dropbox 2012 and successors). The secondary route is phishing email and SMS pretending to be PayPal security alerts, often paired with reverse-proxy kits that capture both password and SMS one-time codes. A unique random password defeats stuffing entirely; pairing it with an authenticator app or security key (not SMS) defeats most modern phishing as well.

Source for PayPal's password rules: PayPal's official help page.

Common questions about PayPal passwords

Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.

Last reviewed: . Reviewed quarterly; primary sources re-checked each review.