How Long Should a Password Be? Length, Entropy and Security

A secure password does not depend only on adding one uppercase letter, one number and one symbol. Length, unpredictability, random generation and using a different password for every account are more important.

It is also important to understand the limits of a password. Even a long password can be stolen through phishing, malware, data breaches or deception. It should therefore be part of a strategy that includes a password manager and multifactor authentication when available.

Why password length matters

Every additional character increases the number of possible combinations. For a randomly generated password, greater length forces a systematic guessing attack to explore a much larger search space.

This does not mean that any long text is automatically secure. Known expressions, consecutive letters, keyboard patterns, dates, names and popular phrases may be tested before truly random combinations.

What password length should you use?

No single length guarantees security for every account. Risk depends on the service, how the password is stored, login attempt limits and whether multifactor authentication is enabled.

Current NIST guidance for password-verifying systems requires at least 15 characters when the password is the only authentication factor. When it is used as part of a multifactor process, a shorter minimum may be accepted, but it cannot be below eight characters.

For randomly generated passwords, a practical general guideline is:

For important accounts, use the longest reasonable password accepted by the service and store it in a trusted password manager.

What password entropy means

Entropy describes the uncertainty behind a value. For a completely random password, it can be estimated from the number of available characters and the password length.

For example, if every position is selected uniformly from uppercase letters, lowercase letters and numbers, there are 62 possibilities per character. Every extra character multiplies the total number of combinations by 62.

Are symbols better than additional length?

Symbols increase the available character set and can improve a random password. However, adding one symbol to the end of a predictable word provides much less protection than it may appear to.

Patterns such as a known word, an uppercase first letter, one number and a final symbol are common. Attackers can test those transformations before attempting a fully random search.

Increasing the length of a randomly generated password usually produces a clearer increase in the search space than small predictable changes.

Passphrases

A passphrase combines several words to create a longer secret that may be easier to remember.

The words must be selected unpredictably. A famous quotation, song title or common expression can be long and still easy to guess.

A useful passphrase should

• Contain several unrelated words.
• Not be a known phrase.
• Exclude personal information.
• Not be reused across accounts.
• Be sufficiently long.

When a password will be stored in a manager, a random string is normally more practical. Passphrases can be useful for the manager's master password because that password must be remembered.

Why passwords should not be reused

A password can be technically strong and still create a serious problem when used across multiple accounts. If one service suffers a breach, those credentials can be tested automatically on other sites.

Every account should therefore use a different password. A breach at one service will then not automatically provide access to the others.

Why use a password manager?

A password manager allows you to create and store long, unique passwords without remembering each one individually.

This makes password reuse easier to avoid and reduces the temptation to select short passwords or values based on personal information.

Password manager good practices

• Choose a long and unique master password.
• Enable multifactor authentication.
• Keep the application updated.
• Protect the devices where it is installed.
• Store recovery codes securely.

A strong password does not replace MFA

Multifactor authentication asks for additional proof beyond the password. This may be an authenticator application, a security key, a trusted device or a biometric factor.

It adds another barrier when a password has been stolen or disclosed. It does not eliminate every risk, but it reduces dependence on a single secret.

When a service offers MFA, enable it especially for email, financial services, work accounts, password managers and social networks.

Should passwords be changed periodically?

Mandatory frequent changes may lead to predictable modifications, such as incrementing a number or reusing a variation of the previous password.

A password should instead be changed when there is a specific reason:

• It appeared in a data breach.
• It was shared with another person.
• It was used for more than one account.
• The device may have been compromised.
• Suspicious activity has occurred.

What a password generator can do

A generator can create long and unpredictable combinations without relying on human habits. It can also control length, uppercase letters, lowercase letters, numbers and symbols.

A generator cannot protect a password after it has been copied. Security then depends on where the password is stored, whether it is reused, how the device is protected and whether MFA is enabled.

What a generator cannot guarantee

• That the receiving service stores passwords securely.
• That the device is free from malware.
• That the password will not be captured through phishing.
• That the user will not reuse or share it.
• That an account without MFA is protected against every attack.

Sources and references

This guide uses public security and authentication recommendations as references. Specific policies may vary between services.

• NIST SP 800-63B — Authentication and Authenticator Management
• OWASP Authentication Cheat Sheet
• CISA Secure Our World

← Back to all guides