Password Length vs Complexity: What is More Important?
When creating a new password, users are often faced with a dilemma: should they craft a shorter password packed with special characters like !@#$, or should they create a very long password using mostly letters? In the ongoing debate of Length vs. Complexity, modern cryptographic standards have a clear winner.
The Mathematics of Brute Force
To understand what keeps your accounts secure, we must understand how attackers break in. A brute-force attack involves a computer program guessing every possible combination until it finds the correct one.
The number of possible combinations is calculated as [Number of Possible Characters] ^ [Password Length].
- An 8-character password with high complexity has about 72 quadrillion combinations.
- A 16-character password using ONLY lowercase letters has over 43 sextillion combinations.
The Case for Passphrases
This mathematical reality is why standards organizations like NIST now recommend very long passphrases instead of complex, short passwords.
A password like Tr0ub4dour&3 is difficult for a human to remember, but easy for a modern GPU to guess. Conversely, a 25-character phrase like correcthorsebatterystaple is easy to remember, but would take a supercomputer millions of years to crack.
The Ultimate Compromise
If you must remember it, choose extreme length. If a Password Manager remembers it, choose both! Use our Password Generator to generate a 20+ character string that includes all character sets.