For years, passwords have been the trusted method for user authentication across devices and systems. They have become an integral part of our daily routines. They are ingrained in our lives, serving as a familiar and widely used tool for gaining secure access.
In an increasingly digital world, password security has become a critical concern for individuals and organizations alike. Due to the increasing number of cyber threats and data breaches, it is essential to understand the importance of password security and how a password best can protect sensitive information.
When IT managers discuss password security, the debate often revolves around the topic of whether the “password length” or “password complexity” criteria should be followed. In the past, password security was mainly associated with lengthy passwords. This changes slowly as more and more experts favor looking at password complexity to generate the best possible protection for users and enterprises. But let us have a deeper look into both methods and find out what matters most, length, complexity or is it perhaps password strength?
What is Password Length?
The length of a password refers to the number of characters it contains. Generally, longer passwords are considered more secure than shorter ones. This is because longer passwords provide a larger pool of possible combinations, making them harder for hackers to crack through brute force attacks. These attacks use tools that tirelessly attempt all possible combinations of keys until they hit the jackpot. We have summarized how hackers go about this and what the chances of success are in the article “What is a brute force attack?”.
As a rule of thumb, shorter passwords are more susceptible because they have a smaller number of possible combinations, making them easier targets for such attacks.
Years ago, most companies requested their users to create passwords with at least 6 characters. Over the years, they switched towards a minimum of 8 characters and also introduced the mandatory use of some or all of the following additional rules: Combination of uppercase and lowercase letters, numbers, and special characters.
Currently, there are several organizations which have started to introduce a minimum of 10 or 12 characters to increase security.
Several experts, such as the BSI (the German Federal Office for Information Security), recommend using passwords that are at least 12 characters long and consist of four different types of characters (uppercase and lowercase letters, numbers, and special characters). Alternatively, they should be at least 25 characters long and consist of two types of characters.
But. A password such as “Letmepleasepleaseenter!2”, contains 24 characters and all four possible character types. Nevertheless, the password is obviously not secure.
Is the password length method today still the right method?
Among experts, password length alone does not mean security. Why is this?
One can generally read that a longer password significantly enhances the security of an account. It provides a greater number of possible combinations, making it more difficult for hackers to guess or crack. By increasing the length of your password, one exponentially increases the time and effort required to break it. The idea behind asking for longer passwords has been that passwords automatically become more complex due to their length. This is not untrue but does not take the human factor into consideration.
As users want to remember their passwords easily, they have used predictable passwords like, e.g., “Password” which fulfills the 8 characters length criteria. When providers asked for longer 12 characters passwords and a combination of uppercase letters, lowercase letters, numbers, and special characters, many users just appending standard patterns, e.g., “123$” to come up with the 12 characters achieving e.g., “Password123$”.
Even though the length of a password as well as combination requirements have respected these kinds of easily predictable passwords are far from secure and exemplarily show the problem with the password length criteria. Today, thousands of these commonly used and predictable or popular passwords are known, have been compromised and can easily be checked on so called pawned (hacked or compromised) password lists on the Internet. Hackers buy lists of these leaked passwords for small amounts of money on darknet marketplaces. They use these known and popular passwords to simply try out random combinations of usernames with the most popular passwords in a trial-and-error method (the so-called “dictionary method”). The more user accounts a hacker was able to break into, the more rewarding the investment and the result.
Summarized, long passwords are great but only if they are non-predictable and hence complex from a hacker standpoint. A long password as such does not yield a sufficient password security. Hence, let us have a look at the password complexity criteria.
What is Password Complexity
Randomly combining alphanumeric characters and symbols makes a password complex. It might be a highly effective strategy to safeguard against hacking. By creating passwords that don’t follow conventional patterns, dictionary attacks conducted using common word combinations become ineffective and time-consuming, ensuring the security of user accounts.
“Password complexity” refers to the uniqueness and non-predictability of a password, and not so much to its length. However, a certain length is required to set up a good, complex password. Even though the complexity of a password does not necessarily demand a mix of uppercase and lowercase letters, numbers, and symbols, a complex password is often a mix of these components and can also significantly enhance security. However, the above argumentation with “Password123$” exemplarily shows that a mix does not always translate in complexity. And the length of a good and complex password can also be its problem. Complex passwords can also be more challenging to remember and may lead users to resort to writing them down or reusing them across multiple accounts – both of which compromise security.
To learn more how to remember long and complex passwords, read our article on password manager and passphrases.
Complex passwords offer an additionl layer of security by making it harder for hackers to crack them through brute force attacks or automated tools but only if long enough. Hence, the password length as well as the password complexity approaches both have their merits. But let us have a look at recent developments in this field.
The NIST Recommendations
The US-based National Institute of Standards and Technology (NIST) has provided valuable guidance on password security. Their research shows that when it comes to creating secure passwords, length, uniqueness and non-predictability together are the key factors and should be considered as the “new” complexity factor. The developments show that instead of focusing solely on complex combinations in terms of difficult to remember combinations, prioritizing the factors password length, uniqueness and non-predictability delivers the new complexity criterion and enhances password security.
This logic is quite sound and is also used for longer passphrases, which are harder to crack and easier for individuals to remember compared to a random assortment of characters. In fact, NIST has even offered several other recommendations for organizations to consider implementing. Some of these suggestions include:
- The uppercase, lowercase, or special characters criteria should not be enforced. It is not necessary and won’t affect the security of a password.
- Passwords should consist of a minimum of 15 characters.
- Move from passwords to passphrases which helps to easily remember long passwords.
- Enabling the “Show password” function to prevent users from mistakenly resetting their password due to typos, resulting in potential data disclosure.
- Companies should supply their employees with password managers so that they are encouraged to use a new, secure password for each service. We have summarized how password managers help here in the following article “Should I Use a Password Manager or the One-Password Solution?”
- Passwords should never be stored in plain text in a database. Instead, they should be given a fixed length using a hash function and always be provided with a salt.
- Wherever possible, multi-factor authentication (MFA) or two-factor authentication (2FA) should be used.
- A change of password should only be demanded if your network may have been compromised, or if the user believes that a password is known by a third party.
- To enhance the online security of your portal, it is crucial to verify all new passwords against a comprehensive list of commonly compromised passwords.
- Do not allow and support to use password “hints”, as they give an important clue to the password of this account to skilled hackers.
What is next? Password Strength!
The above paragraph shows the developments in password security. The digitization demanded more access protection and hence the most popular access method using password has spread worldwide. At the same time, hackers - supported by continuous advancements in technology - have professionalized their methods to compromise user accounts.
Consequently, state-of-the-art password security has moved from password length towards password complexity. Nowadays, both methods together combined with uniqueness and non-predictability as well as non-existence on a hacked password list are the new best practice. We at Engity simply call it “Password Strength” and believe that this is what matters in password security. While it may seem inconvenient at first, these measures greatly enhance our online security and protect our sensitive information.
Despite the recent research findings, the vast majority of companies only uses some kind of password length criteria (often only 6 or 8 characters) in combination with a mixture of uppercase letters, lowercase letters, numbers, and special characters. Considering the risks of getting compromised, this is unacceptable, as outdated password policies put the IT infrastructure at risk and make it vulnerable to hackers.
At Engity, we believe that password security is essential and should not be left to the user alone. Hence, and by default, our solution has integrated a password strength checker and also recommens a password strength level. At the same time, we implemented a check which verifies if a chosen password has already been prawned and is part of a hacked password list.
If you are unsure if a selected password is a strong one and the portal used does not support you in choosing one, you are very welcome to check out our demo to verify the strength of your considered password. Just register and you will be guided towards a strong password as part of the registration.
Note: This article was first published in August 2023 and last updated and corrected in March 2025.