Password for
Facebook
Facebook enforces a minimum of 6 characters and accepts uppercase, lowercase, numbers and a wide range of symbols, but that minimum is far too weak for an account that often holds two-factor codes, a payment method, Messenger history and the linked sign-in for dozens of third-party apps. The practical recommendation in 2026 is a 16-character random string drawing from all four character classes, giving roughly 105 bits of entropy and putting any offline brute-force attack out of reach. Generate one below — it is created inside your browser using the Web Crypto API and is never sent to a server. Pair the new password with Facebook's two-factor authentication using an authenticator app or hardware security key, not SMS, because SMS factors are exposed to SIM-swap attacks that specifically target high-value Meta accounts. Treat your Facebook credential as the master key for everything you sign into with it.
guesses / second
Facebook password rules
Social accounts are used for phishing and identity theft. A unique password and 2FA prevent account takeovers.
Meta reports over three billion monthly active users across Facebook, and a Facebook account is frequently the linked sign-in for hundreds of unrelated services that use the platform's OAuth identity. The maths is unforgiving at Facebook's enforced minimum. A 6-character all-lowercase password gives around 28 bits of entropy, which a single modern GPU exhausts in less than a second. Even at 8 characters with mixed case and numbers you reach only 47 bits — exhausted by a small cluster within days against a leaked hash. Push to 16 characters with all four classes and you reach roughly 105 bits, comfortably above the NIST SP 800-63B threshold of 80 bits recommended for high-value accounts.
Why Facebook accounts are targeted
Facebook accounts are targeted at industrial scale because the identity links so many other services and because Marketplace plus Messenger together create monetisable attack surface. The dominant attack is credential stuffing — usernames and passwords from breaches of unrelated sites replayed against Facebook's sign-in. Account takeover is also a profitable secondary market: verified accounts and pages with followers trade for hundreds of dollars on credential marketplaces. Meta has had multiple data exposures of its own, including the 2021 scrape of phone numbers tied to 533 million accounts. A unique random password defeats credential stuffing, and an authenticator app or hardware key defeats most phishing — never let anyone read your verification code aloud.
Source for Facebook's password rules: Facebook's official help page.
Common questions about Facebook passwords
More social media password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.