How Long Should Your Password Be?

It wasn’t until the past few years when everything moved online that people started really looking at their password security. Experts have been trying to convince people for over a decade that they need to do a better job at it, and the few big data breaches have hopefully brought people, and yourself, around.

Unfortunately, most people generally think that a string of 6-8 alphanumeric characters is good enough for a password, but the reality is that creating a strong password is much more complicated. It doesn’t help that the requirements which websites place on password creation give a false sense of security.

Length Matters

While a lot of people think that complexity matters when it comes to passwords, the truth is, it’s actually not as important as length itself (ergo the question of this blog post).

One of the most common ways that passwords are hacked is through a technique called ‘brute-forcing’. The best way to describe it is to think of a tumbler lock with 3 digits and imagine trying to open it without the actual code. You’ll probably end up trying each possible combination such as 001, 002, 003, etc. Well, brute-forcing works exactly the same way, except malicious agents can use the processing power of computers to do the job for them.

This is why complexity isn’t as important as length, as length adds another layer of magnitude to the attempt of forcing passwords.

For the average 8-character password, there’s roughly 221 trillion possible combinations, which may seem like a lot at first glance, but you have to realize that some computers can ‘guess’ 10billion combinations a second with certain sophisticated botnets. So really, you’re only looking at a few hours of brute-forcing to get through the average password.

Alright, so how long should your password be? Well, ideally you’ll want it to be a minimum of 12 characters. At 12, you get a little over three sextillion possible combinations (that’s a three with 21 zeros in front of it).

That could easily take several hundred years to crack with today’s technology, although that’s certainly improving at a break-neck speed, and the time it takes to crack a 12-character password decreases every day.

If you really want to future-proof yourself, 16 characters is truly the best and most realistic length you’ll likely be able to rely on, but more is even better. At 16 characters you’ll basically be long gone for thousands of not hundreds of thousands of years before that password gets cracked.


Alright, let's be honest; most human beings don’t really have the capacity to memorize 16-character passwords, especially 16-character unique passwords for each site they use, but there is an alternative.

You may have heard of passphrases before, but essentially it would be a set of semi-randomly picked words that are easier to remember. For example “Yellow mushrooms gather dust” or “Crazy better went to lunch” or some other combination. In the first example you have a nice 25-character long password, and in the second example you have an equally good 22-character password.

Going with passphrases is overall easier and makes life less difficult. Of course, the question now becomes ‘How long should my passphrase be?’ and you’ll be happy to know that a four-word minimum is usually recommended. If you can do more words, all the better, and generally try to pick something that is personally memorable.

All that being said, there is an issue with passphrases, which is that most sites don’t allow for passwords of that length. Thankfully, some sites are starting to be more lenient, and hopefully within the next 5 years or so we’ll see longer passwords become more common.

Stranger Things

One thing that often comes up with password length is complexity, and naturally, the use of symbols and other strange characters.

While I did mention that length is better, that doesn’t mean that having complexity doesn’t matter at all. That being said, there are a few mistakes that people do that open them up to having their password cracked:

  • Using the same character twice and/or in a row. This can be problematic because it’s a common practice, and therefore brute-forcing programs have been designed around this behaviour. Especially egregious is stuff like ‘!!!!!!’ or ‘1223334444’.

  • Putting them in a specific pattern such as every other character, since that’s also something these programs are programmed to aim for.

  • Replacing letters with symbols like 3 for e, or 1 for l, or any of that kind of stuff. That’s also a pretty common practice that cracking programs take into account.

  • Not securing social media accounts as if it’s a bank account. Seriously. They only need to draw a bit of info from your social media for social engineering and you’re done for.

  • Also, watch out you don’t use one of the most popular passwords.

Generally speaking, you want to avoid making the placement of your characters obvious, which is why most passwords made through generators tend to look like a string of absolute gibberish with no patterns. That’s the most secure password you can use, but it certainly makes it a pain for you to keep up with your passwords.

Don’t Use The Same Passwords For Everything

Now we come to the biggest problem of all; it doesn’t matter how complex or long your password is, if you use it for several different services, you might as well not use a password at all! (Ok, that’s a bit of an exaggeration, but I hope you get my point).

So what should you do? Well at that point the best thing is to get yourself a quality password manager. Not only does it allow you to store lengthy passwords, you also can create a unique password for each site, and you don’t even have to keep track of it. Just make one super strong password for your password manager, and it’s like you have two layers of protection, which is pretty great. If you need a little help in choosing the right password manager for you, here is a review of the top password managers out there.

Don’t Panic!

The most important thing to remember at this point is to not freak out or get an anxiety attack. The average website or service is not going to let somebody brute-force their way into your account, and the only way somebody could try that kind of attack is if some massive data breach happens, which is rare.

Even when that data breach does happen, it would take a long time to crack your password, by which time the breach would have been made public and you would have had time to change your password.

Practicing good password etiquette is important regardless, and you shouldn’t ignore it, but you should be in a state of panic because you have an 11-character password instead of a 12-character password.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.