Password for
GitHub
GitHub enforces one of two minimums: at least 15 characters of any kind, or at least 8 characters including a number and a lowercase letter. Symbols are accepted but optional. The practical recommendation in 2026 is to ignore the lower threshold and use a 16-character random string from all four character classes — roughly 105 bits of entropy and out of reach of any offline brute force. Generate one below — it is created inside your browser using the Web Crypto API and never sent to a server. Two-factor authentication has been mandatory for active contributors since early 2024, so the moment you change the password GitHub will require you to enrol a TOTP app, security key or passkey if you have not already. Treat your GitHub credential as protection for the supply chain you depend on.
guesses / second
GitHub password rules
Work accounts often have access to company data. A breach here can affect your whole organisation — treat this password like an admin credential.
GitHub crossed 100 million developers in 2023 and hosts the source for an enormous share of the world's open-source software, plus most of the npm registry's publish pipeline. A compromised GitHub credential is therefore a supply-chain attack vector, not merely an account-takeover risk. The maths is sobering for the weaker of GitHub's two allowed minimums: an 8-character password with a number and a lowercase letter offers around 41 bits of entropy, exhausted by a modern GPU in under a day. The 15-character all-lowercase fallback offers around 70 bits, still short of NIST's 80-bit recommendation. The 16-character full-class recommendation above reaches roughly 105 bits — safe by any current standard.
Why GitHub accounts are targeted
GitHub accounts are a supply-chain target. An attacker who controls a maintainer's account can push malicious code, publish a compromised npm package or alter CI secrets that propagate to thousands of downstream projects — the 2022 Heroku token incident and the 2024 XZ-Utils backdoor both touched this surface. The dominant attack is credential stuffing from unrelated breaches, with phishing of authentication tokens a fast-growing second vector — "please re-authenticate your GitHub" emails that capture short-lived OAuth codes. A unique random password defeats stuffing; GitHub's now-mandatory two-factor authentication closes most phishing. Treat your GitHub credential as the gate to every piece of code you ship.
Source for GitHub's password rules: GitHub's official help page.
Common questions about GitHub passwords
More work tools password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.