PassLab
Work Tools

Password for
GitHub

GitHub enforces one of two minimums: at least 15 characters of any kind, or at least 8 characters including a number and a lowercase letter. Symbols are accepted but optional. The practical recommendation in 2026 is to ignore the lower threshold and use a 16-character random string from all four character classes — roughly 105 bits of entropy and out of reach of any offline brute force. Generate one below — it is created inside your browser using the Web Crypto API and never sent to a server. Two-factor authentication has been mandatory for active contributors since early 2024, so the moment you change the password GitHub will require you to enrol a TOTP app, security key or passkey if you have not already. Treat your GitHub credential as protection for the supply chain you depend on.

Generator
min 8
StrengthVery weak · 0 bits
Time to crack
instant
at 10 billion
guesses / second
16
664
Generated with crypto.getRandomValues() — never leaves your tab.

GitHub password rules

Min length
8 chars
Recommended
16+ chars
Security note

Work accounts often have access to company data. A breach here can affect your whole organisation — treat this password like an admin credential.

The maths, specific to GitHub

GitHub crossed 100 million developers in 2023 and hosts the source for an enormous share of the world's open-source software, plus most of the npm registry's publish pipeline. A compromised GitHub credential is therefore a supply-chain attack vector, not merely an account-takeover risk. The maths is sobering for the weaker of GitHub's two allowed minimums: an 8-character password with a number and a lowercase letter offers around 41 bits of entropy, exhausted by a modern GPU in under a day. The 15-character all-lowercase fallback offers around 70 bits, still short of NIST's 80-bit recommendation. The 16-character full-class recommendation above reaches roughly 105 bits — safe by any current standard.

Why GitHub accounts are targeted

GitHub accounts are a supply-chain target. An attacker who controls a maintainer's account can push malicious code, publish a compromised npm package or alter CI secrets that propagate to thousands of downstream projects — the 2022 Heroku token incident and the 2024 XZ-Utils backdoor both touched this surface. The dominant attack is credential stuffing from unrelated breaches, with phishing of authentication tokens a fast-growing second vector — "please re-authenticate your GitHub" emails that capture short-lived OAuth codes. A unique random password defeats stuffing; GitHub's now-mandatory two-factor authentication closes most phishing. Treat your GitHub credential as the gate to every piece of code you ship.

Source for GitHub's password rules: GitHub's official help page.

Common questions about GitHub passwords

Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.

Last reviewed: . Reviewed quarterly; primary sources re-checked each review.