How long should a password be?
- Blog
- How long should a password be?
Passwords are everywhere these days: email accounts, bank accounts, social media accounts—the list goes on! Utilizing strong passwords across all platforms will keep your information safe from bad actors who want to use your private information for nefarious purposes like identity theft or financial fraud.
Strong passwords are a cornerstone of robust online security. But what exactly makes a password strong? A complex password is a unique combination of characters, numbers, and special symbols that is difficult for hackers to guess or crack using brute force attacks. A strong password should be at least 14 characters long, though 16 or more is recommended for added security.
Moreover, a strong password should be unique and not reused across multiple accounts. This uniqueness ensures that even if one account is compromised, other accounts remain secure. Creating a strong password significantly reduces the risk of unauthorized access to online accounts.
Experts agree that length is a critical element of password strength. The Cybersecurity & Infrastructure Security Agency (CISA) recommends that passwords should be “Long—at least 16 characters long (even longer is better).” The National Institute of Standards and Technology (NIST) states in its future 2024 Digital Identity Guidelines:
“Password length is a primary factor in characterizing password strength. Passwords that are too short yield to brute-force attacks and dictionary attacks. The minimum password length required depends on the threat model being addressed. Online attacks in which the attacker attempts to log in by guessing the password can be mitigated by limiting the permitted login attempt rate. To prevent an attacker (or a persistent claimant with poor typing skills) from quickly inflicting a denial-of-service attack on the subscriber by making many incorrect guesses, passwords need to be complex enough that a reasonable number of attempts can be permitted with a low probability of a successful guess, and rate limiting can be applied before there is a significant chance of a successful guess … Users should be encouraged to make their passwords as lengthy as they want, within reason.”
Use the Password Strength Test chart below, based on the Bitwarden Password Strength Generator, to guide your password decisions.
The longer a password is, the harder it is to crack using brute force algorithms. However, the length of your password often depends on the website or service and their password acceptance policies. While 14 to 16 random characters will provide great security, more characters won’t hurt. However, some websites limit password length, so you may need to adjust accordingly.
Bitwarden Password Manager can auto-generate and securely store complex passwords up to 128 characters. If you need an even longer password or an SSH key, those can be stored in a Custom Field or a Secure Note.
Some websites and services require numbers, capital letters, and special characters. A broader spectrum of letters plus numbers, capital letters, and special characters will increase complexity and strengthen your passwords. It is also recommended that the mix of characters be completely random and unrelated to your personal information.
The four character sets are:
Numerical characters such as 12345
Lowercase letters such as abcde
Uppercase letters such as ABCDE
Special characters such as !$%&?
A password consisting exclusively of numerical characters has only ten possible options for each character (0 – 9). If a password is six numerical characters in length, a hacker can attempt one million possible combinations (10 x 10 x 10 x 10 x 10 x 10).
However, a six-character password consisting of numbers and lowercase letters has thirty-six options for each character (0 – 9 plus a – z). Now, rather than one million possible combinations, 2,176,782,336 possible combinations exist for a six-character password. Password managers take manual math out of the equation, so all you need to do is generate a unique password.
Determining how long a password should be is important, but a password’s overall randomness also contributes to better password security. Passphrases are an easy way to achieve random and unique passwords. Using a passphrase helps by combining memorable words or phrases known to the user but less recognizable by hackers. Here’s an example of a randomly generated passphrase using the free web-based Bitwarden Password Generator:
Another way to create a strong password is to avoid commonly used dictionary words or repeated or sequential characters, such as “secret.” Likewise, some very long passwords appear in password dumps with remarkable frequency.
One such password is “1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/,” which, despite being thirty-four characters in length, would be among the first couple of thousand attempts in a brute force attack (you will see why if you look at your keyboard). Lots of math can come into play, but longer and more unique characters generally create stronger passwords.
Brute force attacks are not the only reason for account hacking. Successful phishing attacks are a common cause of data breaches, and the easier it is to remember a password, the easier it is to disclose it to an unauthorized party. Further exacerbating this threat is if the same password is used for multiple accounts to save someone from remembering various login credentials. A recent report demonstrates how common this poor practice is by revealing that 84% of respondents continue to reuse passwords across multiple sites.
You can easily build strong passwords using the Bitwarden Password Generator, a free and secure online tool designed to generate unique passwords for every account with customization options to support any site’s password policies. Additionally, you can test the strength of new or existing credentials with the free Password Strength Tester.
To keep your online accounts secure, following best practices for password security is essential. Here are some tips to help you safeguard your digital life:
Use a secure password manager: Password managers can generate and store unique, strong passwords for online accounts. This saves you from the hassle of remembering multiple passwords. Opt for a password manager that encrypts all information stored in your vault and offers data breach reports.
Avoid reusing passwords: Using the same password for multiple accounts is risky. If one account is compromised, all your accounts using that password are at risk.
Enable multifactor authentication (MFA): Whenever available, enable MFA to add an additional layer of security to your accounts. This involves a second form of verification, such as a text message or authentication app, which can prevent unauthorized access to your account even if someone were to discover the password.
Opt for longer passwords: Aim for a password length of at least 14 characters, but 16 or more is recommended. Longer passwords are generally harder to crack.
Avoid weak passwords with easily guessable information: Steer clear of using easily guessable information such as your name, birthdate, or common words. Hackers can easily find this information and use it to guess weak passwords.
Use a mix of characters: Create strong passwords using uppercase and lowercase letters, numbers, and special symbols. This increases the difficulty for anyone trying to guess your password.
Following these best practices can significantly enhance your password security and protect your online accounts from potential threats.
A password manager like Bitwarden helps generate and store unique and strong passwords for each account. The benefit of storing passwords in a password manager is that they are encrypted, hashed, and salted to prevent authorized access – far safer than storing passwords in plain text in Word documents or Excel spreadsheets!
Bitwarden offers a password management solution with a built-in generator across all client applications, including browser extensions, mobile and desktop apps, the web vault, and the CLI.
Ready to level up your cybersecurity with Bitwarden Password Manager? Sign up today for a free Bitwarden account, or start a 7-day free trial of our business plans so your team and company colleagues can stay safe online. Still have questions? Check out the live weekly demo to speak directly with the Bitwarden team.