Password Length Recommendation: The Ultimate Guide to Strong Passwords
Are Short Passwords Putting Your Online Security at Risk?
· Identity & Access Management
By Jan Brennenstuhl · 8min read
Today, digital security is more important than ever. With cyber threats on the rise, having strong, unique passwords is critical for protecting your accounts and data. Common sense among security researchers is, that longer passwords are more crucial than complicated ones. In this article, I’ll go into detail about the max password length recommendation, how it affects your digital security, and how to generate the most secure passwords available.
Password Length Recommendations
A Look into Password Length
Before we look at password guidelines and how to choose the right length, let’s go over why length is important. Longer passwords are generally more secure since they increase the number of possible combinations that a brute-force attack would have to try. To put it another way, the longer the password, the more time and effort it takes hackers to crack it.
The NIST Guidelines
The National Institute of Standards and Technology (NIST) released their latest password security standards as part of the digital identity guidelines in 2017. The NIST password guidelines recommend a minimum password length of 8 characters, but no maximum length is specified. Instead, NIST advises users to establish long, complex passwords that are easy to remember but difficult to guess for others. The European Union Agency for Cybersecurity (ENISA), the European NIST-counterpart, mentions in their report on Security Hygiene from 2020 that user generated passwords should at least have 12 characters.
Why No Max Length?
NIST does not advocate for a maximum password length because they believe it is more essential to focus on the complexity requirements and uniqueness of passwords. A longer password is generally considered more secure than a short one, independent of its characters, numbers, and symbols composition and whether it fulfils arbitrary password complexity requirements.
So, What’s the Ideal Length?
While NIST does not specify a maximum secret length, most cybersecurity experts agree that a unique password of 12 to 16 characters is sufficient for most common use-cases today. This length strikes a good balance between security and memorability. However, this is not intended to prevent service providers from allowing users to choose longer secrets – rather the opposite! According to OWASP, a common maximum length is 64 characters due to limitations in certain hashing algorithms. Imposing characters on users is actually considered bad practice.
Creating Strong Passwords
Complex Passwords & the Importance of Unpredictability
When it comes to creating a secure password, unpredictability is key. Avoid utilizing information that is easily guessed, such as names, dates, or common words and common passwords. Do not reuse passwords, but use a unique combination of lower- and uppercase characters, numerals, and special characters. Avoid sequential characters and use machine generated passwords! Make them longer!
Passphrases: A Password Manager Alternative
For people without any password managers at hand, it is hard to remember complex passwords. Passphrases are a good alternative to conventional passwords. They are composed of a series of random words, making them easier to remember but more difficult to crack, especially when combined with special characters to protect against dictionary attacks. For example, “Butterfly_machine/skyscraper_twilight” is a unique password that satisfies the password length recommendation. Always keep in mind however, that the only secure password is the one you can’t remember.
Use a Password Manager
Password managers are useful applications that can assist you in creating and storing complicated, one-of-a-kind passwords for all of your user accounts. They can create passwords that comply with strong password security recommendations and securely store them so you don’t have to remember them. My personal recommendation for password creation and secure storage is 1Password, but there are many useful alternatives out there!
Common Password Pitfalls
User created passwords are often too short. Many online platforms and services still apply password policies that are decades behind modern threat vectors, with outdated minimum password length requirements and composition rules. Often companies shy away from introducing any kind of additional friction in their sign-up or authentication process, enabling malicious actors to be successful with only few password attempts. Always make sure to use a complex password to minimize security risks.
One of the most common mistakes people practice with their passwords is to reuse passwords across several accounts. If a hacker cracks, guesses or brute-forces one password, they may be able to gain access to multiple accounts if the same password is employed by the user. Ensuring passwords are different for each account is key!
Writing Passwords Down
Writing down your passwords might seem to poses a significant security risk. If someone finds the written passwords, they can easily gain unauthorized access to your accounts. However, these security risks surely depend on your private threat model. For most common endusers, writing passwords down into a physical password vault is actually a great idea if it leads to more unique and long passwords being used. In any case, consider using a password management tool instead!
Ignoring Two-Factor Authentication
Multi-factor authentication (2FA) protects your accounts by adding an extra layer of security using passwordless authentication approaches. Even if someone guesses your most commonly used passwords, they’ll need to also get access to your 2FA method (such as a text message or an authentication app) to log in. Enable 2FA whenever it is available!
What is the Max Password Length Recommendation?
The max length recommendation refers to the best length for maximum security. Neither the NIST guidelines nor security researchers specify a maximum length – for good reason! A longish password is generally considered more secure. Most cybersecurity and password policy experts recommend to use secrets of at least 12 to 16 characters for the best balance of security and memorability. Arbitrarily short limitations of below 64 characters should not be imposed on users!
How does Password Length affect Security & Brute-Force Attacks?
The number of characters is important for passwords because it increases the number of possible combinations that an attacker must try in brute-force attacks. Every character added also increases time and effort required for password cracking (the recovery of hashed passwords with brute force). An 8-character password will take anywhere from a few minutes to a couple of hours to crack while a 16-character password will take a cracker years, which renders even offline attacks non-sustainable. A long password is also harder to guess.
What is a Passphrase & How is it different from a Password?
A passphrase is a string of random dictionary words that is used to create a safe password. Passphrases are typically longer and hence are considered more secure than regular, weak passwords, as well as easier to remember. They are a useful approach to create lengthy passwords and offer a higher level of security. Better use a secure password generator!
Why should I avoid Reusing Passwords?
Reusing passwords across multiple accounts is a dangerous practice because a single data breach can put all your other accounts at risk. If a malicious actor manages to crack one password, they can potentially access multiple accounts with the same password. It’s essential to use unique passwords for each account to protect your digital identity.
What is a password manager, and how can it help me?
A password manager is an app that allows you to create, save, and manage complex, unique passwords for all of your accounts. It can create passwords that adhere to best practices for password complexity and store passwords securely so you don’t have to remember them.
Finally, length is a critical attribute of password strength. You may dramatically improve the security of your accounts and data by creating strong passwords that are at least between 12 and 16 characters long, use a combination of character classes, numbers, and special characters, and avoid typical password problems. Don’t forget to think about utilizing passphrases or a secure password generator to make the procedure even easier and more secure.
Additional Tips for Strengthening Your Password Security
Now that we’ve covered the minimal and maximal password lengths and the necessity of creating secure passwords, let’s look at some extra ideas that help you boost your password security even further.
- No Need to Regularly Update Your Passwords – There is no need to change a strong password. There is no need for automatic password expiration. Changing your passwords every three to six months adds no security benefit and will not increase password protection. If you use complex passwords frequent password changes are simply unnecessary.
- Be Cautious with Password Recovery Questions – Password recovery questions might be a vulnerability in your account security because they frequently incorporate personal information that hackers can easily find. Don’t use any kind of recovery or security questions. If you have to, complain and if there is no way around it, choose questions with answers that aren’t readily available online or easily guessed.
- Monitor Your Accounts for Suspicious Activity – Check your accounts on a regular basis for any signs of unauthorized access or questionable behavior. If you discover anything out of the ordinary, change your password immediately and notify the service provider and proper authorities.
- Educate Yourself on Phishing Scams – Cybercriminals use phishing scams to lure you into disclosing sensitive information such as your passwords or personal information. Never click on strange links or download attachments from unfamiliar sources, and be wary of unsolicited emails, messages, or phone calls requesting your password or personal information.
- Use a VPN When on Public Wi-Fi – Using public Wi-Fi networks puts your data at risk of being compromised by hackers and other bad actors. When connecting to public Wi-Fi networks, use a Virtual Private Network (VPN) to protect your data and account security. A proper VPN adds an additional layer of encryption and ensures the privacy and security of your online activity.
Jan Brennenstuhl is a Principal Software Engineer at Zalando SE, balancing security with friction for their customers. He built an IAM team and brought single sign-on (SSO) to Europe's largest e-commerce fashion platform.