PassLab
Crypto

Password for
Kraken

Kraken requires a minimum of 12 characters and accepts uppercase, lowercase, numbers and symbols — a stronger floor than most exchanges set, and to its credit a 12-character random password is genuinely respectable. Even so, for an account that custodies cryptocurrency it is worth going further: the practical recommendation in 2026 is a 20-character random string across the full character set, delivering roughly 131.1 bits of entropy. At that length the number of possible combinations is astronomically large — far longer than the universe has existed to brute-force — putting the password beyond any realistic cracking effort. Generate one below: it is created inside your browser using the Web Crypto API and is never transmitted to a server or stored anywhere. Pair it with app-based two-factor authentication — an authenticator app or hardware security key rather than SMS — so that a leaked password alone can never unlock your funds.

Generator
min 12
StrengthVery weak · 0 bits
Time to crack
instant
at 10 billion
guesses / second
20
664
Generated with crypto.getRandomValues() — never leaves your tab.

Kraken password rules

Min length
12 chars
Recommended
20+ chars
Security note

Crypto account breaches are irreversible — funds cannot be recovered. Use a password you've never used anywhere else, and always enable 2FA.

The maths, specific to Kraken

Kraken's 12-character minimum already produces around 78.7 bits of entropy with the full character set — strikingly close to the 80-bit level NIST SP 800-63B recommends for high-value accounts, and far better than the 8-character floor most exchanges accept. That is worth acknowledging. But 'nearly 80 bits' still sits just under the guideline, and the margin for a funds-holding account should be generous, not borderline. Extending to a 20-character random string lifts entropy to roughly 131.1 bits. Where 78.7 bits is approaching but not beyond the reach of sustained offline cracking against a leaked hash, 131.1 bits is computationally unreachable — clearing the NIST threshold with room to spare rather than scraping past it.

Why Kraken accounts are targeted

Kraken accounts are targeted for the same reason every exchange login is: crypto transfers are irreversible, so funds sent to an attacker's wallet cannot be clawed back. That makes a valid login immediately monetisable and justifies attacker effort. The dominant documented routes are phishing and SIM-swapping — hijacking a victim's mobile number to intercept SMS verification — alongside credential stuffing that replays passwords leaked elsewhere. Kraken's higher password floor helps, but it does nothing against a password reused on a site that was breached, or against a SIM swap. A unique, long password generated locally, combined with app-based or hardware 2FA, neutralises both of the cheapest attack paths.

Common questions about Kraken passwords

Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.

Last reviewed: . Reviewed quarterly; primary sources re-checked each review.