Why Password Length Matters More Than Complexity

Password complexity rules — requiring uppercase letters, digits, and special characters — have been a fixture of security policies for decades. Yet the research and guidance from major security institutions now consistently points to a different conclusion: password length is more important than complexity. This is not a minor refinement of existing advice; it represents a fundamental shift in how password security should be understood and communicated.

Understanding Password Entropy

Password strength is measured in bits of entropy — a mathematical expression of how unpredictable a password is. A password with n bits of entropy requires on average 2^(n-1) guesses to crack by brute force. The higher the entropy, the longer cracking takes.

Entropy is calculated as: H = L × log₂(N) where L is the password length and N is the size of the character set. Because length appears as a direct multiplier and character set size appears inside a logarithm, length has a much larger effect on entropy.

A Comparison by the Numbers

Notice that a 16-character all-lowercase random password (~75 bits) has more entropy than the 10-character mixed-character password (~65 bits). The longer password wins despite a much smaller character set.

Why Complexity Rules Backfire

Mandatory complexity requirements — at least one uppercase, one digit, one symbol — were introduced with good intentions. The problem is that they constrain how users create passwords without meaningfully increasing the search space, and they predictably lead to weak but compliant passwords.

When users are forced to include a special character, they overwhelmingly choose the same few options: an exclamation mark at the end, an @ symbol replacing "a", a zero replacing "o". These substitution patterns are well known to attackers and are included in all modern cracking wordlists. A password like Welcome1! technically satisfies most complexity requirements but would be cracked within seconds by a dictionary attack.

What NIST and NCSC Now Recommend

NIST's Digital Identity Guidelines (SP 800-63B) — the US federal standard for password security — explicitly recommends against mandatory complexity rules. The key points are:

• Require a minimum length of at least 8 characters (with higher minimums recommended for sensitive accounts).
• Allow all printable ASCII and Unicode characters rather than restricting character types.
• Do not require periodic password changes unless there is evidence of compromise.
• Check new passwords against lists of known compromised credentials.

The UK's NCSC guidance similarly prioritises length over complexity rules and recommends a "three random words" approach as a good practical default for most users.

Real-World Cracking Speeds in Context

Modern password cracking hardware (GPU clusters) can test billions of hashes per second for weak hashing algorithms. Even against better algorithms like bcrypt:

• An 8-character password from a 94-character set has ~52 bits of entropy. Crackable within hours against a poorly protected hash database.
• A 12-character random password has ~79 bits of entropy. Practically infeasible even against fast hardware.
• A 16-character random password has ~104 bits of entropy. Effectively unbreakable by brute force with any near-future computing.

Practical Guidance

The most effective approach to password security is:

1. Use a password manager to generate and store passwords.
2. Generate random passwords of 16+ characters for every account — complexity is a secondary concern.
3. Use a different password for every account to prevent credential stuffing.
4. Enable two-factor authentication as a second line of defence.

Use our free Password Generator to create long, random passwords instantly. For the full picture on what makes a password strong, see our article on What Makes a Strong Password in 2026.

Frequently Asked Questions