Password for
PayPal
PayPal enforces a strict 8-to-20-character window and requires a mix of uppercase, lowercase and at least one number — symbols are accepted but optional. The practical recommendation in 2026 is to use the full 20-character allowance with all four character classes, which gives roughly 131 bits of entropy and puts the password out of reach of any current brute-force attack. Generate one below — it is created inside your browser using the Web Crypto API and is never sent to a server. PayPal supports two-factor authentication via authenticator apps and security keys; enable it the same session you change the password, because PayPal accounts are a top-tier target for credential-stuffing bots that run 24 hours a day against leaked credential dumps from unrelated sites. Treat your PayPal credential at the same level as your bank password — the financial consequences of a takeover are equivalent.
guesses / second
PayPal password rules
Financial accounts are high-value targets. Use a unique password here and enable every available security layer (2FA, login alerts, etc.).
PayPal reported around 430 million active accounts in its 2024 annual report, and unlike most consumer services, a compromised PayPal balance can be transferred to attacker-controlled accounts in minutes — meaning recovery is often a race against irreversible transfers. The maths is brutal at the lower bound. An 8-character mixed-case alphanumeric password — PayPal's stated minimum — gives around 47 bits of entropy, which a modern GPU cluster running Hashcat can exhaust in days against a leaked hash. Push to the 20-character ceiling PayPal allows, with symbols included, and you reach roughly 131 bits — twenty orders of magnitude harder to attack, and outside the realistic budget of any commodity attacker.
Why PayPal accounts are targeted
PayPal is targeted relentlessly because it is one of very few consumer accounts that translates directly into liquid cash — attackers do not have to fence stolen items or wait for a buyer. The dominant attack is credential stuffing using passwords from unrelated breaches (LinkedIn 2012, Adobe 2013, Dropbox 2012 and successors). The secondary route is phishing email and SMS pretending to be PayPal security alerts, often paired with reverse-proxy kits that capture both password and SMS one-time codes. A unique random password defeats stuffing entirely; pairing it with an authenticator app or security key (not SMS) defeats most modern phishing as well.
Source for PayPal's password rules: PayPal's official help page.
Common questions about PayPal passwords
More finance password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.