Password Length vs Complexity & What It Really Means

Have you ever had a debate with a friend and then realized suddenly that you're both saying the same thing from different angles?

This week, the topic of passwords came up in my life and the "length matters more than complexity" advice was once again offered. Every time this topic comes up, I struggle to wrap my head around it. Once I understand it, I realize it's not entirely true. But this week, I realized that there's a deeper lesson underneath it. (Not to sound overly dramatic or anything.)

So in this blog post, I want to unpack this latest piece of cybersecurity wisdom, dispel some myths around it, and talk about my latest epiphany.

Password vs Passphrases

Let's start by recapping what makes a "good" password.

The answer depends on who you ask.

Since 2004, the National Institute for Standards and Technology (NIST) recommended that a "good" password consist of uppercase and lowercase letters, numbers, and special characters. They didn't specify a minimum length, so other organizations offered recommendations ranging from 8 characters to 15.

Last year, however, NIST updated their guidance, shifting focus onto making passwords long instead of complex. The official recommendation is now passwords should be at least 12 characters long, and complexity (like mixed case, numbers, and special characters) should not be required. This new advice being parroted in the privacy community, often as a rebuttal when you try to push the 2004 advice.

But it's important to look at the reasoning for this change.

The goal of a "good" password - in any form - is basically to prevent cybercriminals from being able to guess it. In the past, this meant a heavy focus on complexity. Unfortunately, people started creating very predictable and easy to remember passwords that met the letter of this requirement but not the spirit:

• Pass@123
• P@ssw0rd
• Aa@123456
• Admin!123

(These appear in Nord's Top 200 Most Common Passwords, all in the top 20 and all meeting the previous NIST recommendations.)

This is a problem because there are tools explicitly dedicated to guessing passwords. You can load entire dictionaries into them (such as common password lists like these or literal dictionaries) and they're designed to detect common variations (@ or 4 instead of a, for example). So suddenly, P@ssw0rd is an easily-detected variation of password, a word that would appear in any dictionary.

And this is why NIST is changing tactics: instead of complexity, what if we tell people it's okay to have memorable passwords that are really long?

But Why Length?

We measure password strength in entropy. This is an objective measure (in bits) of how difficult a password is to guess, based on both password length and how many possible characters are available (uppercase letters, lowercase letters, numbers, and special characters). Another way to describe entropy is that it's a measure of how guessable your password is.

An ideal password under NIST's old guidelines has about 50 bits of entropy on average.

5ZRcx!GT = 49 bits

A password under NIST's revised guides, has only slightly more.

hated dimmer = 56 bits

Still, those few bits make a difference. The 49-bit password can be cracked in 3 days. The 56 bit would take almost a month.

It's also worth noting there's a bit of unspoken intention with this new guidance:

1. NIST hasn't placed any restrictions on numbers or special characters. Users are still free to use them if they want.
2. NIST is assuming a minimum length, but not a maximum.

What this means is that NIST is hoping that users won't just pick two random words that happen to be 12 characters long. NIST is hoping users will pick much longer passwords, even if they're not random.

For example, let's say I'm frustrated by this whole "pick a password business" but the IT guy at work informs me of the new rules: no special characters, no numbers, whatever you want, just make it long. So out of frustration I decide my new password is This Is Really Silly.

This Is Really Silly = 114 bits, centuries to crack.

That's already orders of magnitude better than my two-word randomly-generated password, let alone my complex 8-character password. (If I get really frustrated and add an exclamation point to the end - This Is Really Silly! - the entropy increases to 125 bits.)

Did I Prove Myself Wrong?

Not really.

For starters, because entropy is a product of both length and complexity, a password that is both long and complex will always win.

@zH4SjsTf26s = 76 bits

mottodiscuss = 56 bits

Both of these passwords meet NIST's 12-character minimum, but mottodiscuss would take a mere 11 minutes to crack while @zH4SjsTf26s would take 2 years.

In fact, in further tests, the 12-character complex password still has more significantly more entropy compared to simply adding one more character, even if that character is a different character set like a number.

mottodiscusss = 61 bits

mottodiscuss2 = 67 bits

(In my testing, I have to add 3 extra s's to get close to the complex password's entropy, 77 bits.)

Now it should be noted that calculating entropy is complex. For example, both of those 13-character passwords would take 9 hours to crack, exponentially increasing their security over the original 11 minutes.

However, I think my overall point is made: the complex password adds significantly more entropy than pure length alone. My This Is Really Silly example worked only worked so well because it technically had complexity too: uppercase, lowercase, and special characters. (For context: thisisreallysilly = 79 bits, 5 days.)

Length is clearly the "easy button" to make passwords more secure, but it's clearly not the only way, nor that immediately simple. There's nothing wrong with complex passwords that makes long passwords the superior choice (with one exception, that I'll touch on momentarily).

Jonah at Privacy Guides argues that passphrases have a slight edge in case you ever need to type them in, but I could equally argue that complexity has the edge since a data breach exposing the hashes is exponentially more likely. We both make good points, in my opinion, and neither of us is wrong.

Not Like This Matters

Now let's get down from our ivory towers of academia and math to point out that this all irrelevant anyways.

Whether NIST's new guidelines are better or not, the vast, overwhelming majority of websites and services these days still have strict requirements based on years of previous advice.

It's incredibly rare - nonexistent, for all intents and purposes - to find a website that won't require at least one uppercase, one lowercase, one number, and one special character, all over a certain length.

Some of them require more. Some of them have rules about what special characters you can use. But I have yet to find a website anywhere that simply says "yeah dawg, go nuts. Use whatever kind of password you want." I'm sure they're out there, but there's not a doubt in my mind that they're the minority.

Maybe someday websites will relax their rules. Probably not.

Except, When it Does Matter...

It's also worth noting that the average person has over 100 online accounts. NIST's updated password guidelines explicitly highlight password reuse as a serious problem. Of course, very few people can remember hundreds of unique passwords, even if we do use this "length over complexity" advice to create more easily-memorable-yet-still-secure passwords. Thankfully NIST still strongly advocates for the use of password managers.

The New Oil | Cybersecurity: Password Managers

Data is the new oil

Cybersecurity: Password ManagersNathan Bartram

Long-time privacy enthusiasts know where this is going: of course you have to be able to remember your master password to get into your password manager (or devices). This is where we often recommend a passphrase - or a sequence of random words instead of a complex password.

bottlinghappierdividablecaramel = 145 bits, centuries

This passphrase - which meets the bare minimum recommendation - still has significantly more entropy than a 15-character complex passphrase but can be easily memorized. We can further increase the entropy - and make it easier to read - with capitalization.

BottlingHappierDividableCaramel = 176 bits, centuries

Hell, throw in a number and a symbol if it makes you feel better. Won't hurt.

Bottling3HappierDividable@Caramel = 211 bits, centuries

You could even use a phrase you're familiar with, like the aforementioned This Is Really Silly! or Physics Isn't Real?, assuming that the service in question allows those special characters (just beware that well-known popular phrases like movie quotes or song lyrics could potentially appear in dictionary attacks).

So in this case - where it's a password you have to remember, such as device login or password manager master password - it makes sense to focus on length because it has to be both memorable and secure.

However, in all other cases, you should be saving your passwords in your password manager, and at that point I would argue complexity should be the emphasis since:

1. You don't need to remember those passwords.
2. You'll probably still need to comply with various complexity requirements.
3. We've already proven that if lengths are equal, complexity has the security edge.

(Just make sure you're still meeting the 12-character minimum.)

The Full, Ironic Circle

We're now right back where we started:

• Even if websites did suddenly become NIST-compliant, people would still have too many accounts to remember.
• When using a password manager, complexity is preferred since memorability isn't an issue.
• Easy-to-remember but secure (aka "long") passphrases are really only necessary for logins people have to remember - such as devices or password manager master passphrases.

This is the same advice we already give. NIST's updated advice is an attempt at harm reduction, and personally I applaud that, but it doesn't actually change the actionable advice for the everyday user "in the trenches."

The Lesson

In my experience, life is often a pendulum swinging back and forth between extremes.

For example, there's a lot of junk privacy and security advice floating around out there, such as "VPNs will make you anonymous and secure." Neither of those is true, of course, but often in our attempts to dispel these myths the privacy community overcorrects and goes into "VPNs are useless" territory. The truth lies somewhere in the middle: VPNs can offer a layer of protection, but it's grossly overstated and there's other things that offer more bigger and more immediate returns (this is why VPNs are the last page on my website).

You can go for the longer passwords if you want to. I'm not telling you not to. What I am saying is that the modern blanket "length is really what matters" is an oversimplification, lacking nuances, and swings the pendulum too far in reaction to old, outdated advice.

One podcaster I enjoy often says "the internet is where nuance goes to die," but everyone has a unique threat model and the goal of any privacy or security education should be to give people the knowledge and skills to make the choices that are right for them (hopefully without drowning them in formation overload).

As a community, I think it's fantastic that we push back on outdated advice. This research even prompted me to update The New Oil this week to reflect all this new information now that NIST has formalized these updates. But we need to be careful not to push too far in the other direction and oversimplify things. The nuance is what will make people ultimately smarter, more privacy/security-literate, and more equipped to pick the right tools and strategies for them.

Sources

• Entropy checker: https://timcutting.co.uk/tools/password-entropy
• Time to crack checker: https://bitwarden.com/password-strength/
• Password/Passphrase generator: https://bitwarden.com/password-generator/