SecureTools: Password Requirements for Major Platforms
See minimum and maximum password requirements for major platforms side by side.
Understanding Platform Password Policies
Every online service implements its own password policy, balancing security requirements against user convenience. Understanding these requirements helps you create passwords that are both secure and compatible with each platform you use. This comprehensive reference covers password policies for the most popular services as of 2026.
While longer passwords are generally more secure, some platforms impose maximum length restrictions due to legacy systems or hashing algorithm limitations. For example, bcrypt—a common password hashing algorithm—only processes the first 72 bytes of input, which is why services like GitHub cap passwords at 72 characters.
| Platform | Min Length | Max Length | Requirements |
|---|---|---|---|
| 8 | 100+ | Letters, numbers, symbols allowed | |
| Apple ID | 8 | 32 | Upper, lower, number required |
| Microsoft | 8 | 256 | 3 of 4: upper, lower, number, symbol |
| Amazon | 6 | 128 | No specific requirements |
| 6 | 100+ | Mix of letters, numbers, symbols recommended | |
| Twitter/X | 8 | 128 | No specific requirements |
| 8 | 400 | No specific requirements | |
| Netflix | 4 | 60 | Minimal requirements |
| PayPal | 8 | 20 | Number and symbol required |
| Dropbox | 8 | 1024 | No specific requirements |
| GitHub | 8 | 72 (bcrypt limit) | 15+ chars OR 8+ with number and lowercase |
| Slack | 6 | 72 | No specific requirements |
| UK Banks (typical) | 8-12 | 15-20 | Varies; often restricted character sets |
| US Banks (typical) | 8-12 | 16-32 | Varies; some block special characters |
How to Use This Reference
When creating a new account, first check this table to understand the platform's constraints. Then use our password generator configured to meet those requirements. For platforms with generous maximum lengths (like Dropbox's 1024 characters), consider using a passphrase for better memorability without sacrificing security.
Best Practices for Meeting Requirements
- Always exceed minimum length by at least 4-6 characters when possible
- Use a password manager to generate and store unique passwords for each service
- Enable two-factor authentication regardless of password strength
- For banking sites with restrictive rules, maximize length within their constraints
- Test generated passwords in a separate window before saving to your password manager
When Requirements Seem Restrictive
Some platforms, particularly older banking systems, impose surprisingly restrictive password policies. If you encounter a maximum length of 16 characters or restrictions on special characters, don't panic—compensate by using the maximum allowed length and enabling all available two-factor authentication options. A 16-character random password is still extremely secure against brute-force attacks.
Common Password Policy Pitfalls to Avoid
Many users fall into patterns that compromise security despite following platform requirements. For example, using predictable sequences (like 'password123' or birthdates) or reusing passwords across accounts. Even if a platform allows weak passwords, reusing them creates a single point of failure. Another common mistake is ignoring 'never reuse passwords' guidelines when managing multiple accounts. Services like GitHub and Microsoft require specific character combinations precisely to counter these vulnerabilities. Always treat each platform's password policy as a baseline rather than a ceiling.
How to Use Password Generators Effectively
While our password generator tool can create compliant passwords, users often overlook key customization options. For platforms requiring 3 of 4 character types (e.g., Microsoft), ensure your generated password includes uppercase letters, lowercase letters, numbers, and symbols. Avoid common patterns like 'P@$$w0rd' that attackers frequently test. For services with strict length limits (like Apple ID's 32-character max), use the generator's 'length' filter to stay within bounds. Remember to save generated passwords in a secure password manager rather than writing them down.
Note: Requirements change frequently. Some platforms impose additional restrictions not listed here (e.g., no spaces, no repeating characters). When in doubt, use our password generator and test the result on the platform.