Most people pick passwords that are too short. A password like Tr0ub4dor feels complex, but at nine characters it can be cracked in hours with modern hardware. Length is the single most important factor in password security.
The short answer
Use at least 16 characters for general accounts, and 20 or more for high-value accounts like email, banking, or password managers themselves. For anything you never need to type by hand, 24–32 characters is reasonable.
Why length matters more than complexity
Password cracking is a numbers game. Attackers use tools that can test billions of combinations per second. The time it takes to crack a password grows exponentially with length — far faster than it grows with complexity alone.
To illustrate:
| Password | Length | Estimated crack time |
|---|---|---|
password | 8 chars | Instantly |
P@ssw0rd! | 9 chars | Minutes |
correct-horse-battery | 21 chars | Centuries |
x9$Lm2!qKv#8nZ@w | 17 chars | Billions of years |
Adding a symbol to a short password helps less than simply making it longer.
What the guidelines actually say
The US National Institute of Standards and Technology (NIST) updated its password guidance in 2024 to de-emphasise complexity rules and instead prioritise length. Their key recommendations:
- Minimum 8 characters (their floor, not a recommendation)
- Support passwords up to at least 64 characters
- Stop requiring regular forced resets unless there’s evidence of compromise
- Stop requiring arbitrary complexity rules like “must include a capital and a number”
The shift is significant: NIST now says long, memorable passwords beat short, complex ones that get written on sticky notes.
Does this mean complexity doesn’t matter?
Complexity still helps, but the benefit decreases the longer a password gets. A 20-character password made of only lowercase letters has more entropy than a 9-character password using every character type.
That said, once you’re using a password manager — which you should be — complexity costs you nothing. Generate long passwords that use uppercase, lowercase, numbers, and symbols. You never have to type them.
The passphrase option
A passphrase is a sequence of random words: celery-tulip-window-frost. These are long, easy to remember, and highly secure. At 25+ characters from four random words, they outperform most complex passwords on length alone.
The key word is random. “I love my dog” is not a strong passphrase — it follows predictable patterns. velvet-spoon-comet-ridge is, because no human would ever choose those words together.
Practical recommendations
- Use a password manager and generate passwords of 20+ random characters for every account
- For your password manager master password, use a long, memorable passphrase
- For PINs and anything you must memorise, favour length over complexity
- Never reuse passwords — a breach of one account should not compromise others