How long should your password be?

For decades, information security experts have tried to get people to create stronger passwords by requiring a minimum length (usually eight characters), plus at least one capital letter, one number, and one special character (like @, #, or !). This strategy is now widely considered to be a failure. Many people simply created an obvious variation of their previous password. “Letmein1!” is as easy for a computer to crack as “letmein”, even though it’s longer and more complex.

This goes to show that there are multiple elements that factor into how strong your password is. Length is one of them. In this article, we’ll explain some concepts you should consider when creating a password, as well as some guidelines for how long your password should be.

Ways to crack a password

First, you should understand something about how hackers steal passwords. Bad guys typically begin trying to crack a password by using a dictionary attack. A dictionary attack works by drawing on a massive database of dictionary words, real passwords exposed in previous data breaches, names, as well as common combinations (such as last name + first name + date) and substitutions (like “@” instead of “a”). To get an idea of what kind of data hackers can glean from a password leak, check out this report.

If a dictionary attack fails, the hacker will have to use a brute force attack. This type of attack is much slower because it means the computer will go through every possible combination of characters, one by one. Some computers can guess hundreds of billions of passwords per second.

Keep in mind, hackers generally are not trying to guess your password at the login page of your online account. Instead, they will usually attempt dictionary or brute force attacks on a database of hashed passwords stolen from a company’s servers. There are various ways companies can hash passwords to bog down the process for hackers, which can help keep your plaintext password secure. But it’s better to create a strong password yourself rather than  place all your trust in the cybersecurity practices of a website.

How to prevent brute force attack

There are two ways to make it more difficult for someone to brute force your password: make your password longer (by using more characters), and make it more complex (by using a greater variety of character types, like numbers and capital letters). Note, however, that length is much more effective than complexity at preventing a brute force attack.

Every additional character in a password increases the length of time it would take a supercomputer to guess your password by an order of magnitude, even if you only use lower-case letters. Adding complexity also helps because it will broaden the set of characters the computer has to check, but not by nearly as much.

There are online calculators that claim to tell you how long it would take a computer to crack your password. These are not precise because of all the variables involved, such as computing power and the hash used. But they can serve to illustrate a key point about password length: a six-character random-generated password using a mix of character types would take seconds to crack, whereas a 10-character password with only lower-case letters could take several years.

Why a long password isn’t always better

Brute force attacks are not very efficient and can be easily thwarted by merely creating a longer password. That’s why dictionary attacks are a more efficient way to crack passwords. Dictionary attacks take advantage of human weaknesses, like predictability and poor memory. The need to remember passwords leads users to choose simple passwords, which are also easy to guess.

With dictionary attacks, therefore, length can be a misleading measure of password strength. For example, “F3rnand3zJ@nu@ry1983” looks like it could be a very strong password because it contains lots of numbers, capital letters, and special characters. But this password would probably be cracked in a dictionary attack: It’s just a last name, a month, and a year. The algorithm could easily look for predictable character substitutions and capitals.

How long should your password be?

The length of your password primarily depends on whether you’re using a password with random characters or one with a series of words.

If you want to create a strong password using a series of words (a “passphrase”), most info security firms recommend using at least four words that aren’t very common. As more people switch to passphrases, however, hackers will get better at cracking them.

If you’re using a password composed of random characters, about 15 should put it out of reach of modern computing capabilities. However, we don’t recommend using random-character passwords unless you’re using them with a password manager, which will help you generate and store them securely. That way you don’t have to remember them or write them down, and they will be unique.

If you use a password manager, we recommend using a long passphrase as your master password and generating a unique random password for each account, relying on the default settings for length and complexity (usually 20 characters, with a few numbers and special characters).

This article is part of a series we’re publishing on strong passwords. Check back to our blog, follow us on Twitter, or subscribe to our subreddit to stay in the loop on all our cybersecurity advice.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


Comments are closed.

14 comments on “How long should your password be?

  • Mentions and links to kaspersky company!? This company cooperates with the Russian government.
    This is unacceptable for a company that is engaged in information security like ProtonMail!

    • We don’t have a release date yet as it requires us to make some changes to the domains that we use. We will try to do it this year though.

  • Ben,

    Hello! Excellent article!

    Another way to create a password is to combine what you suggested with some custom rules. For instance, according to website’s domain or language, or type, and then give values to those items. Let’s say something for take the second, the later and the former character of the domain [wrt], add it “A99.+” if it’s available in your language, otherwise use “Z00.-” [wrtA99.+], if it’s a social network, add it “_$0cN3t_” and you’ll get something like: wrtA99.+_$0cN3t_. This is just a simple example. Possibilities are endless.

    By the way, I think How Secure Is My Password is much more accurate than Kaspersky Lab’s Secure Password Check. I know people that uses 2 SLI’ed NVIDIA GeForce GTX 1080 Ti OC Edition graphics cards to hashcat passwords and the HSIMP website’s results are kinda closer to reality. The Kaspersky Lab one is too optimistic/naïve.

    Best regards!

  • I am not a fan of online password managers that live in your browser. If I steal your laptop, I can disable your LastPass and lock you out if it in a relatively short time. What I DO recommend is something like Bluink Ltd’s Blueink Key. This app keeps your passwords in an end-to-end encrypted cloud that is also zero knowledge and works by sending your password from your smartphone to your computer via bluetooth. Stealing your laptop is of no use if I also do not have the bluetooth dongle AND your phone.

  • Good article but I don’t understand why Protonmail doesn’t provide a password safe function. Hope this service will be provided this year. So far… cheerio :)

  • Hey, thank you very much for the information! Is there a way I can get more info on the matter? So I can make a post on my local university about this? Thank you very much in advance!

  • I love the quality of your email service. If I needed a VPN, I’d definitely try yours. A VPN, to me, needs to at least use OPENVPN, with encryption, a tunnel,AND, use a different protocol and port number. The ability to change servers and countries is important.With a decent firewall and as mentioned above, I feel safer than with anything else. Personally, I have nothing to hide, and all I want is to not have my information stolen or my machines hacked. I was using the opera browser until the Chinese bought it. Now, I use Brave, which seems secure and super fast. And, I use linux, of course. The only motherboard NOT made in China now is gigabyte, so all the others have a security issue..Thanks for an exellent service.