Password Best Practices: Length vs Complexity
Security research shows longer beats more complex. Here's the data on entropy, cracking times, and what password policies actually protect you.
Corporate password policies requiring uppercase letters, numbers, and special characters were designed in the 1980s based on a theoretical paper that has since been largely repudiated — even by its original author. Modern security guidance from NIST (the US National Institute of Standards and Technology) tells a different story. Here is the actual data.
The entropy formula
Password strength is measured in bits of entropy. The formula is: Entropy (bits) = log₂(C^L) where C is the size of the character set and L is the password length.
This simplifies to: L × log₂(C)
So a 12-character password using 26 lowercase letters has: 12 × log₂(26) = 12 × 4.7 = 56.5 bits of entropy.
The same password using 95 printable ASCII characters has: 12 × log₂(95) = 12 × 6.57 = 78.8 bits.
Adding 4 more characters to the lowercase version: 16 × 4.7 = 75.2 bits — nearly equal to the complex 12-character version. That illustrates the core point: length scales better than complexity.
Cracking time estimates
Modern hardware (a consumer GPU cluster) can attempt approximately 100 billion password guesses per second against unsalted MD5 hashes — which many older systems still use. Against modern bcrypt or Argon2 hashing, the rate drops to millions per second.
| Password | Character Set | Entropy | Est. crack time (fast attack) |
|---|---|---|---|
| 8 chars, mixed | 95 chars | 52.4 bits | Hours to days |
| 12 chars, lowercase | 26 chars | 56.5 bits | Days to months |
| 12 chars, mixed | 95 chars | 78.8 bits | Centuries |
| 16 chars, lowercase | 26 chars | 75.2 bits | Thousands of years |
| 16 chars, mixed | 95 chars | 105 bits | Heat death of universe |
| 20 chars, mixed | 95 chars | 131 bits | Astronomically beyond |
The jump from 8 to 16 characters is far more impactful than adding symbols to an 8-character password.
Why "correct-horse-battery-staple" beats "P@ssw0rd"
The XKCD comic that introduced this concept (number 936) made a point that security professionals have backed up with research: four random words strung together are both more secure and more memorable than a short complex password.
"correct horse battery staple" is 4 random words. If chosen from a dictionary of 2,000 common words, entropy = log₂(2000^4) = log₂(1.6 × 10^13) ≈ 43 bits. That seems lower, but in practice dictionary-based passphrase attacks are computationally very expensive. At a minimum 4-random-word passphrase with a larger dictionary (say 7,776 words as in Diceware), entropy jumps to log₂(7776^4) ≈ 51 bits — and to 64 bits with 5 words.
"P@ssw0rd" has every character type but is in every single dictionary attack list. Its effective entropy is near zero because it is a known pattern.
The lesson: apparent complexity is not real entropy. True randomness — even with simpler characters — is what counts.
NIST guidelines 2024
NIST Special Publication 800-63B, updated in 2024, provides the clearest modern guidance:
- Minimum length should be at least 15 characters for memorized secrets (up from 8 in earlier guidelines)
- Maximum length should be at least 64 characters — systems that cap passwords at 16 characters are reducing security
- Do not require complexity rules (mixed case, numbers, symbols) — these encourage predictable substitutions and make passwords harder to remember without making them harder to crack
- Do not require arbitrary password expiration — forced periodic changes cause users to create weaker passwords with predictable patterns
- Check new passwords against breach databases — NIST explicitly recommends blocking passwords that appear in known breach lists
- Allow all printable ASCII characters including spaces — spaces enable passphrases
These represent a significant shift from the traditional IT approach. Unfortunately many organizations still enforce outdated policies.
Corporate policies that are counterproductive
Common corporate password policies that security research identifies as net negatives:
Mandatory 90-day expiration: Users adapt by cycling through predictable patterns — "Summer2026!" → "Fall2026!" → "Winter2026!". Attackers know this.
Maximum length limits under 20 characters: Any limit below 64 characters is reducing your security without benefit. Limits under 20 actively hurt you.
Complexity requirements without length floors: Requiring "!@#$" but allowing 8-character passwords is worse than allowing 16-character lowercase passwords.
Blocking password managers: Some systems flag paste operations or require JavaScript to be disabled in specific ways that break password managers. This forces users to create memorable (weaker) passwords.
Recommended minimums by use case
Not all accounts need the same protection level:
Throwaway/low-stakes accounts (forums, newsletters): 14+ characters, random, unique per site.
Standard accounts (shopping, streaming, apps): 16+ characters, mixed character types, unique per site.
Financial accounts (bank, brokerage, crypto): 20+ characters, fully random, unique, plus 2FA with an authenticator app.
Email accounts: Treat like financial accounts — email is the recovery mechanism for everything else. If your email is compromised, every other account is at risk.
Password manager master password: 6–8 random words as a passphrase, or 24+ random characters. This is the one password you must memorize, so a passphrase makes sense here.
Use our password generator to create passwords that meet these standards, then store them in a password manager so length is never a memorability constraint.
Try it yourself
Run the numbers with our interactive calculator — change any value and get instant results.
Open calculatorThis article is for informational and educational purposes only. Always verify calculations that matter with a qualified professional.