Password Length vs. Password Complexity: Or should it be Password Strength?

Password complexity bar below a password input field

Myth & facts about a good password and the reasoning behind it.

For years, passwords have been the trusted method for user authentication across devices and systems. They have become an integral part of our daily routines. They are ingrained in our lives, serving as a familiar and widely used tool for gaining secure access.

In an increasingly digital world, password security has become a critical concern for individuals and organizations alike. Due to the increasing number of cyber threats and data breaches, it is essential to understand the importance of password security and how a password best can protect sensitive information.

When IT managers discuss about password security, the debate often goes around the topic if the "password length" or "password complexity" criteria should be followed. In the past, password security was mainly associated with lengthy passwords. This changes slowly as more and more experts favor looking at password complexity to generate the best possible protection for users and enterprises. But let us have a deeper look in to both methods and find out what matters most, length, complexity or is it perhaps password strength?

What is Password Length?

The length of a password refers to the number of characters it contains. Generally, longer passwords are considered more secure than shorter ones. This is because longer passwords provide a larger pool of possible combinations, making them harder for hackers to crack through brute force attacks. These attacks use tools that tirelessly attempt all possible combinations of keys until they hit the jackpot. As a rule of thumb, shorter passwords are more susceptible because they have a smaller number of possible combinations, making them easier targets for such attacks.

Years ago, most companies requested their users to create passwords with at least 6 characters. Over the years, digital application providers switched towards a minimum of 8 characters and also introduced the mandatory use of some or all of the following additional rules: Combination of uppercase and lowercase letters, numbers, and special characters.

Currently, there are several firms which have started to introduce a minimum of 10 or 12 characters to increase security.

Several experts recommend using passwords that are at least 12 characters long. However, it's important to note that simply increasing the length alone may not be enough...

Is the password length method today still the right method?

Among experts, password length alone does not mean security. Why is this?

You can generally read that a longer password significantly enhances the security of an account. It provides a greater number of possible combinations, making it more difficult for hackers to guess or crack. By increasing the length of your password, you exponentially increase the time and effort required to break it. The idea behind asking for longer passwords has been that passwords automatically become more complex due to its length. This is not untrue but does not take the human factor into consideration.

As users want to remember their passwords easily, they have used predictable passwords as, e.g., "Password" which fulfills the 8 characters length criteria. When providers asked for longer 12 characters passwords and a combination of uppercase letters, lowercase letters, numbers, and special characters, many users just appending standard patterns, e.g., "123$" to come up with the 12 characters achieving e.g., "Password123$".

Even though the length of a password as well as combination requirements have respected these kinds of easily predictable passwords are far from secure and exemplarily show the problem with the password length criteria. Today, hundreds of these commonly used and predictable or popular passwords are known, haven been compromised and can easily be checked on so called prawned (hacked or compromised) password lists in the Internet.

Summarized, long passwords are great but only if they are non-predictable and hence are complex from a hacker standpoint. A long password alone does not yield a sufficiently enough password security. Hence, let us have a look at the password complexity criteria.

What is Password Complexity

Randomly combining alphanumeric characters and symbols makes a password complex. It might be a highly effective strategy to safeguard against hacking. By creating passwords that don't follow conventional patterns, dictionary attacks conducted using common word combinations become ineffective and time-consuming, ensuring the security of user accounts.

Password complexity refers to the uniqueness and non-predictability of a password and not to the length of a password. However, a certain length is also a minimum criterion to set up a good, complex password. Even though complexity of a password does not necessarily demand a mix of uppercase and lowercase letters, numbers, and symbols, a complex password is often a mix of these components and can also significantly enhance security. However, the above argumentation with "Password123$" exemplarily shows that a mix does not always translates in complexity. And the length of a good and complex password can also be its problem. Complex passwords can also be more challenging to remember and may lead users to resort to writing them down or reusing them across multiple accounts – both of which compromise security.

To learn more how to remember long and complex passwords, read our article on password manager and passphrases.

Complex passwords offer an added layer of security by making it harder for hackers to crack them through brute force attacks or automated tools but only if long enough. Hence, the password length as well as the password complexity approaches both have their merits. But let us have a look on recent developments in this field.

The NIST Recommendations

The US-based National Institute of Standards and Technology (NIST) has provided valuable guidance on password security. Their research shows that when it comes to creating secure passwords, length, uniqueness and non-predictability together are the key factors and should be considered as the "new" complexity factor. The developments show that instead of focusing solely on complex combinations in terms of difficult to remember combinations, prioritizing the factors password length, uniqueness and non-predictability delivers the new complexity criterion and enhances password security.

This logic is quite sound, as longer passphrases are more difficult to crack and easier for individuals to remember compared to a random assortment of characters. In fact, NIST has even offered several other recommendations for organizations to consider implementing. Some of these suggestions include:

  • The uppercase, lowercase, or special characters criteria should not be enforced. It is not necessary and won't affect the security of a password.
  • Passwords should consist of a minimum of 15 characters
  • Move from passwords to passphrases which helps to easily remember long passwords
  • A change of password should only be demanded if your network may have been compromised, or if the user believes that a password is known by a third party
  • To enhance the online security of your portal, it is crucial to verify all new passwords against a comprehensive list of commonly compromised passwords.
  • Do not allow and support to use password "hints"
  • A seamless user experience by refraining from implementing account lockouts after multiple failed login attempts. This practice not only frustrates genuine users but also plays into the hands of malicious hackers who exploit this vulnerability to flood networks with incorrect passwords.

What is next? Password Strength!

The above paragraph has shown the developments in password security. The digitization demanded more access protection and hence the most popular access method using password has spreaded worldwide. At the same time, hackers - supported by continuous advancements in technology - have professionalized their methods to compromise user accounts.

Consequently, state-of-the-art password security has moved from password length towards password complexity. Nowadays, both methods together combined with uniqueness and non-predictability as well as non-existence on a hacked password list are the new best practice. We at Engity simply call it "Password Strength" what today matters in password security. While it may seem inconvenient at first, these measures greatly enhance our online security and protect our sensitive information.

Despite the recent research findings, the vast majority of companies only uses some kind of password length criteria (often only 6 or 8 characters) in combination with a mixture of uppercase letters, lowercase letters, numbers, and special characters. Considering the risks of getting compromised this is not understandable and from a security standpoint not acceptable. It shows however, that most responsible managers are not aware that their doing (or non-doing) can risk their IT infrastructure as well as potential of being attacked by hackers.

At Engity, we believe that password security is essential and should not be left to the user alone. Hence, we standardly have integrated a password strength checker and also recommend a password strength level to be obeyed. At the same time, we implemented a check which verifies if a chosen password has already been prawned and is part of a hacked password list.

If as user, you are unsure, if a selected password is a strong one and the portal used does not support you in choosing one, you are very welcome to check out our demo to verify the strength of your considered password. Just register and you will be guided towards a strong password as part of the registration.