How long should a password be?

Can you remember the last time you didn’t need to access at least one of your passwords? It’s probably been a while. After all, the average person handles around 168 passwords. With this scale, you might find yourself wondering if you can really prioritize your security or take some leeway to remember how to access your accounts in the first place.

It doesn’t help that the numbers vary across the board—some think you can get away with 6 characters, others go for numbers in the 20s. Let’s settle it once and for all and answer a few pressing questions. At the end of the day, how long should a password be on average, and how should its structure look to keep you safe online?

What’s the recommended minimum password length?

Let’s not beat around the bush—the length of your passwords is one of the key cybersecurity checkpoints you can tick off. The exact number of characters is something of a point of contention.

Our recommendation is to use a random mix of 8 characters (including upper- and lowercase letters, numbers, and special symbols) as the bare minimum for your password; however, the longer you go, the better.

Alternatively, you can choose to use a passphrase—a sequence of words or other text that you can use to authenticate your identity. For example, you can use a line from your favorite movie or book. However, make sure no one knows what that specific phrase is. A unique passphrase is as effective as a highly complex password because the spaces between words count as special characters.

The case for longer passwords

But why does it matter so much how long a password is? To answer this question, we first need to understand one of the biggest threats to password safety—brute-force attacks. Cybercriminals use special software to try millions (even billions, if the computer is powerful enough) of character combinations to find passwords that work. They usually start with every word in a dictionary, so passwords that contain only one or two words are not resilient.

With fewer characters, you can’t create as many secure, randomized combinations to protect your accounts. If you go any shorter than 8 characters, the chances of your passwords getting brute-forced increase. The more personal and work accounts you have, the more variety you need—and a longer password accounts for it.

In NordPass’ 2024 list of the Top 200 Most Common Passwords, the first 10 entries consisted of passwords ranging from 5 to 9 characters. Most were sequences of numbers and lowercase letters based on the keyboard layout—think 123456 or qwerty. Such combinations are easy bait for cybercriminals, who require less than a second to break through and claim the account for themselves.

The problem is not just how short the passwords are but also how frequently they’re reused. If a person comes up with a 6-character password containing only letters and numbers, the hacker can run a program to easily find the matching combination. Then, they can use the password with the related email address and easily obtain all accounts belonging to their victim. Longer passwords with more variety require more guesses to predict, increasing the time required to breach them.

To address the problem of weak passwords, various password policies and guidelines are set in place to help both businesses and individuals manage their personal data better. The National Institute of Standards and Technology (NIST) updated its password security guidelines in 2024, clarifying how the expectations for credential security have shifted. According to the new guidelines, passwords should be up to 64 characters long—a long passphrase can be used in favor of a password—and should only be changed if there’s clear evidence that they've been compromised. Passwords should also be generated and stored using a password manager for better security.

Balancing length and complexity

What keeps you safe online and what makes it easy for you to be online in the first place requires a delicate balance. As mentioned earlier, password length plays a key role in its predictability. The fewer characters you use, the less time it takes to crack it. Likewise, the more variety you add, the more time and resources are needed to figure it out.

Passphrases are a great help here. They ensure your credentials are long and complex without the clutter of random characters. If you pick a quote, you’ll probably use at least 4 or 5 words. This automatically racks up the password length, granting it a higher resilience against cyber threats.

You might wonder how resilient passphrases are against brute-force attacks targeting dictionary words. The length of the passphrase is actually an advantage here despite it using words from a known corpus—it increases the guessing difficulty level, and fishing out every word, space, and punctuation mark in that order is resource-intensive, making it more difficult for cybercriminals to detect an exact match.

Now, let’s sprinkle in some complexity. Of the options “password123” and “PAl4p5e*tDgF!3”—the 111th entry in the aforementioned Top 200 list and a completely random keysmash—the former would take under a second to crack, while the latter would need hundreds of years.

The randomized example does not follow an easily detectable pattern and contains every character we’ve mentioned so far—upper- and lowercase letters, numbers, and special symbols. If you took a similar combination and kept adding random characters in random spots, the complexity level would increase. In short, length adds complexity, and complexity is exactly what you want for your credentials.

Tips for creating secure, long passwords

Passphrases are a solid idea for strong credentials. However, some websites and apps don’t recognize spaces as special characters, which makes it harder to use more memorable passwords. How do you come up with really good ones, and how do you make sure you don’t forget them?

One thing you can try is a spin on a passphrase—take the words in a phrase, omit some letters, replace them with special characters, and voila! You’ve got a strong password concept on your hands. For example, let’s take the classic phrase “The quick brown fox jumps over the lazy dog” and turn it into “1.Qui.bro.fo.jum.ove.1.laz.dO.” We’ve replaced “the” with 1, left the first 2 or 3 letters of the other words, capitalized the first and last letters, and finished with a full stop for good measure. The result? A password that would take centuries to breach.

That said, avoid simply taking a word and replacing its letters with numbers, like “0v3r” for “over”—hackers are familiar with such “tricks” and have added them to their brute-force checklist. Instead of following a predictable pattern, get creative—switch random letters with numbers that wouldn’t otherwise match (like a 5 for L instead of the anticipated S) and build a cipher only you know. We’ve got more inspiring ideas you can use to level up your inner password generator in our dedicated article.

If you’re unsure whether your new credential meets the ideal strong password criteria, you can test it using our secure password checker. Don’t worry—we don’t store the passwords you type into this tool to ensure that your data remains secure, whether it’s just an idea or already in use.

The simplest way to sort out your password length troubles and leave the worries of mixing them up behind is to get a tool that does it for you—and NordPass knows how to get it done right. NordPass is an intuitive password manager that keeps all your credentials securely encrypted.

Thanks to its built-in Password Generator, you won’t have to worry about coming up with passwords on your own ever again. You won’t need to remember them either, as the autofill feature will detect your login attempts and input your credentials for you in seconds. In fact, with NordPass, the only password you need to remember is the Master Password to access your vault. Everything else will be handled for you with our browser extension and mobile app.

Reinforce all your accounts with ease and embrace the long password lifestyle with NordPass.

FAQ