Back to Blog
Security
8 min read

Why Password Length Matters More Than Complexity

Modern password security research shows length beats complexity. Learn why a 20-character passphrase is stronger than a complex 8-character password — and how to create both.

January 16, 2025

For decades, conventional wisdom held that a strong password needed uppercase letters, lowercase letters, numbers, and special characters. IT departments imposed policies requiring P@ssw0rd!-style passwords — complex, hard to remember, and as it turns out, not particularly secure. Modern password security research tells a different, more nuanced story.

How Password Cracking Actually Works

Attackers crack passwords in two main ways: brute force (trying every possible combination) and dictionary attacks (trying known words, common passwords, and their variations).

Against brute force, what matters is the number of possible combinations — which is determined by both the character set size and the password length. The formula is: combinations = character_set_size ^ length.

  • 8 characters, lowercase only (26 chars): 26^8 = 208 billion combinations
  • 8 characters, mixed case + digits + symbols (~94 chars): 94^8 = 6.1 quadrillion
  • 16 characters, lowercase only: 26^16 = 43 septillion combinations
  • 16 characters, mixed: 94^16 = 37 sextillion combinations

A modern GPU-based cracking rig can test billions of passwords per second. Against a 16-character password, even lowercase only, an exhaustive brute force would take millions of years. Against an 8-character complex password, it might take hours to days.

Why "Complexity Requirements" Often Backfire

When forced to create complex passwords, humans are predictable. We use: a capitalized first letter, a number at the end, and an exclamation mark. Password1! satisfies most complexity rules but is extremely vulnerable to dictionary attacks because attackers know these patterns and test them first.

The U.S. National Institute of Standards and Technology (NIST) revised its password guidelines in 2017 and 2024 to specifically recommend against mandatory complexity rules and periodic password changes (which also cause predictable patterns like incrementing numbers). Instead, NIST recommends: length over complexity, and checking against known breached passwords.

The Case for Passphrases

A passphrase is a sequence of random words, like correct-horse-battery-staple (from the famous XKCD comic). This approach was popularized by security researcher Randall Munroe and is now widely recommended by security experts.

Why passphrases work:

  • Length — A 4-word passphrase is typically 20-30 characters, far exceeding any complexity rule's requirements.
  • Entropy — If chosen from a list of 7,776 common words (a standard Diceware list), each word adds about 12.9 bits of entropy. Four words = ~51 bits. That's stronger than most "complex" 8-character passwords.
  • Memorability — Humans are far better at remembering four concrete words than a random string of characters. Better memorability means fewer resets and less password reuse.

The key requirement for passphrases: the words must be random. Do not use a phrase from a book, song, or movie — those are easily guessed. Use a generator (like ours) that picks words from a large list using cryptographic randomness.

When to Use Random Character Passwords

For passwords you will never need to type manually — and most passwords should fall into this category if you use a password manager — random character passwords are slightly more efficient per character. A 20-character random password like k9#mZvQ2!Lp7@nXr0sWj is extremely strong and not significantly harder to store than a passphrase.

Use passphrases for: your password manager master password, computer login password, and any other password you need to memorize and type. Use random character passwords for: everything stored in your password manager.

Password Length Recommendations by Account Type

  • Password manager master password: 20+ character passphrase (6 words). This is the most critical password you have.
  • Email account: 20+ characters (the key to all account recovery)
  • Banking and financial accounts: 20+ characters
  • Social media and general accounts: 16+ characters, stored in password manager
  • Low-value, throwaway accounts: 12+ characters minimum

The Non-Negotiable Rules

Length matters most, but these rules are equally important:

  • Never reuse passwords — When any site is breached, attackers try those credentials everywhere. Every account must have a unique password.
  • Use a password manager — Without one, unique long passwords for every account are practically impossible. Bitwarden (free, open source), 1Password, and Dashlane are all excellent options.
  • Enable two-factor authentication (2FA) — Even a perfect password can be phished. 2FA (especially hardware keys or TOTP apps) makes phished passwords useless.
  • Check for breached passwords — Use Have I Been Pwned to check if your accounts have appeared in data breaches. Change any passwords that have been exposed.

What About Password Expiry?

Mandatory periodic password changes (every 90 days, etc.) are no longer recommended by NIST or most modern security guidance. Research shows they cause users to make predictable incremental changes (Password1!Password2!) that provide no real security benefit. Change passwords when there is a reason to: a breach, suspected compromise, or known exposure — not on an arbitrary schedule.

Summary

Length is the most important factor in password strength. A 16-character lowercase-only random password is stronger than a complex 8-character one. Passphrases are strong, memorable, and ideal for passwords you need to type. For everything else, use a password manager with unique random passwords, enable 2FA, and never reuse credentials across sites.

Free Tool

Try our Password Generator

No signup, no download. Works entirely in your browser.

Open Password Generator
← Browse all articles