Password Length and Security — Choosing the Right Length
Password length is the single most important factor in password security. Short passwords fall to brute-force attacks in seconds, while each additional character increases cracking difficulty exponentially. This guide covers NIST recommendations, cracking time estimates, and practical strategies for strong passwords.
NIST Guidelines
NIST's SP 800-63B (revised 2017) fundamentally changed password best practices. Mandatory periodic changes and complex character requirements are now discouraged. Instead, sufficient length is the primary recommendation:
- Minimum: 8 characters (service provider floor)
- Recommended: 12–16+ characters
- Maximum: Services should allow at least 64 characters
- Forced complexity (uppercase + symbol requirements) is discouraged
- Mandatory periodic password changes are discouraged
Length vs. Cracking Time
| Length | Combinations (~95 char set) | Estimated Cracking Time |
|---|---|---|
| 6 chars | ~735 billion | Seconds to minutes |
| 8 chars | ~6.6 quadrillion | Hours to days |
| 10 chars | ~6 × 1019 | Years to decades |
| 12 chars | ~5.4 × 1023 | Tens of thousands of years |
| 16 chars | ~4.4 × 1031 | Trillions of years |
Modern GPUs can crack 8-character passwords in an estimated 5 hours. Moving to 12+ characters makes brute-force attacks computationally infeasible.
Passphrases
Passphrases combine multiple random words into a long, memorable password. Example: "correct horse battery staple" (28 characters). Use 4–5 unrelated words, optionally separated by spaces or symbols. The Diceware method (rolling dice to select from a 7,776-word list) generates passphrases with approximately 77+ bits of entropy.
Service Password Limits
| Service | Minimum | Maximum |
|---|---|---|
| 8 | 100 | |
| Apple ID | 8 | No limit |
| Microsoft | 8 | 256 |
| Amazon | 6 | 128 |
| X (Twitter) | 8 | 128 |
| Banking (typical) | 8 | 16–32 |
Common Mistakes
- Dictionary words — "sunshine" or "football" fall to dictionary attacks in seconds.
- Personal information — Birthdays and pet names are easily guessed via social engineering.
- Password reuse — One breach compromises all accounts using the same password (credential stuffing).
Pro Tips
- Use a password manager (1Password, Bitwarden) to generate unique 20+ character passwords
- Check for breaches at haveibeenpwned.com
- Enable two-factor authentication wherever available
Conclusion
Use at least 12 characters, preferably 16+. Passphrases and password managers make long passwords practical. Check your password length with Character Counter.