Password for
Amazon
Amazon enforces a minimum of 6 characters and accepts the full printable ASCII range, but 6 is dramatically too weak for an account that holds saved payment cards, a Prime subscription, delivery addresses and (for many users) AWS console access. The practical recommendation in 2026 is a 16-character random string drawing from all four character classes — roughly 105 bits of entropy and impractical to brute-force offline. Generate one below — it is created inside your browser using the Web Crypto API and is never transmitted. Pair the new password with Amazon's two-step verification using an authenticator app or hardware security key (not SMS, which is exposed to SIM-swap attacks). The 6-character minimum is a legacy artefact from a different era of password policy; treat the recommended 16 as your effective floor for any Amazon account holding a payment method.
guesses / second
Amazon password rules
A strong, unique password combined with two-factor authentication is your best protection against account takeovers.
Amazon is estimated to have over 300 million active customer accounts globally, and the average household account stores at least one payment method, one delivery address, and (for Prime subscribers) recurring billing tied to a credit or debit card. The maths is unforgiving for the platform minimum. A 6-character all-lowercase password — Amazon's stated minimum — gives around 28 bits of entropy, which a single modern GPU exhausts in less than a second. Raise the length to 16 characters with symbols and you reach roughly 105 bits, comfortably above the NIST SP 800-63B threshold of 80 bits for high-value accounts. The keyspace gap between Amazon's minimum and the recommended secure value is staggering.
Why Amazon accounts are targeted
Amazon accounts are targeted heavily because of the combination of stored payment methods and the ability to ship to attacker-controlled addresses. The dominant attack is credential stuffing: attackers buy username/password pairs from breaches of unrelated sites and replay them against Amazon's sign-in en masse. A secondary and increasingly common vector is account takeover for resale — verified accounts with Prime, particularly those linked to AWS, fetch premium prices on underground marketplaces. A unique random password generated locally cuts the credential-stuffing attack surface to zero, and Amazon's two-step verification (an authenticator app, ideally) closes the remaining phishing route.
Source for Amazon's password rules: Amazon's official help page.
Common questions about Amazon passwords
More shopping password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.