Password for
Revolut
Revolut requires a minimum of 8 characters and accepts uppercase, lowercase, numbers and symbols, but for an account that holds your money and connects to cards and transfers, an 8-character password is far too weak — short strings fall fast to offline cracking and credential-stuffing once a hash leaks. The practical recommendation in 2026 is a 16-character random string drawing on the full character set, which delivers roughly 104.9 bits of entropy. At that length the number of possible combinations is astronomically large — far longer than the universe has existed to brute-force — making the password effectively uncrackable. Generate one below: it is created inside your browser using the Web Crypto API and is never transmitted to a server or stored anywhere. Pair it with app-based two-factor authentication — an authenticator app rather than SMS — so that a leaked password alone cannot reach your balance.
guesses / second
Revolut password rules
Financial accounts are high-value targets. Use a unique password here and enable every available security layer (2FA, login alerts, etc.).
The gap between Revolut's floor and a strong password is substantial. An 8-character full-keyset password carries about 52.4 bits of entropy, well below the 80-bit level NIST SP 800-63B recommends for high-value accounts. A 16-character random string raises that to roughly 104.9 bits. The gain is exponential, not linear — every additional random character multiplies the number of candidates an attacker must test. A 52.4-bit password is well within reach of GPU-accelerated cracking against a leaked hash, whereas 104.9 bits is computationally unreachable by foreseeable hardware. For an account that holds funds and moves money, clearing the NIST 80-bit threshold is the minimum, and 104.9 bits clears it by a wide margin.
Why Revolut accounts are targeted
Fintech accounts like Revolut are attacked for direct financial gain: a successful login can let an intruder move balances, spend on linked cards, or initiate transfers, turning access straight into cash. The most common account-takeover routes are credential stuffing — replaying passwords exposed in unrelated breaches — and phishing that captures login details directly, often followed by SIM-swap attempts to intercept SMS verification. These attacks target the account holder rather than the platform's systems, which is why a strong personal defence is decisive. A long, unique password held only in your browser, backed by app-based two-factor authentication, removes the cheapest and most common paths to your money.
Common questions about Revolut passwords
More finance password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.