How Long Should a Password Be?

← Back to Blog

How Long Should a Password Be?

· 6 min read

Why 8-Character Passwords Are Obsolete

Ten years ago, an 8-character password was considered a sufficient minimum. But with GPU computing power advancing rapidly, a modern graphics card can now attempt tens of billions of MD5 hashes per second. Against this computing power, an 8-character password — even with special characters — can be cracked within hours.

In 2023, security researchers unveiled a cracking rig using eight RTX 4090 GPUs capable of attempting over 300 billion bcrypt hash variants per second. This means even modern slow-hashing algorithms offer diminishing protection for short passwords. Password length standards must continually evolve alongside hardware capabilities.

Recommended Password Length by Scenario

Here are password length recommendations based on the 2025 threat model:

• Minimum (general accounts): 12 characters — for forums, shopping sites; ~78.8 bits entropy with full character set
• Recommended: 16 characters — suitable for most daily accounts; ~105 bits entropy with comfortable safety margin
• High-value accounts: 20+ characters — banking, email, work accounts; ~131 bits entropy
• Password manager master password: 25+ random characters or 5–6 random word passphrase
• Disk encryption: 6–7 random word passphrase (must be memorized and typed manually)

Length vs Complexity: A Simple Math Comparison

Many people believe password "complexity" matters more than "length." The math reveals the truth: with a character set of 95 (all printable ASCII), each additional character expands the password space by 95× (~6.57 bits). Expanding the character set from 26 lowercase letters to 95 full characters adds only ~1.87 bits per character (from 4.7 to 6.57). Length has a far more significant impact on security.

Practical example: a 16-character all-lowercase random password (entropy ≈ 75.2 bits) is slightly weaker than a 12-character full-ASCII random password (entropy ≈ 78.8 bits), but vastly stronger than an 8-character full-ASCII password (entropy ≈ 52.6 bits). Adding 4 characters provides a larger boost than adding all special characters.

The Problem of System Password Length Limits

Frustratingly, many websites and systems still cap password length — some as low as 8 or 16 characters. This practice is a security regression. NIST SP 800-63B recommends systems should allow at least 64-character passwords. If you encounter a system that limits passwords to 16 characters or fewer, that itself is a security red flag.

When a system forces a length cap, use the maximum allowed length and be sure to enable multi-factor authentication (MFA) to compensate for reduced password strength. Also document such limitations and provide feedback to the service provider when possible.

Length Considerations for Passphrases

For passphrases, length is measured differently — in word count rather than character count. Using the standard Diceware word list (7,776 words), recommended word counts are: minimum security: 4 words (~51.7 bits); recommended: 5 words (~64.6 bits); high security: 6 words (~77.5 bits); very high security: 7–8 words (~90–103 bits).

Chinese passphrases require more words since Chinese word lists are typically smaller. When using Chinese, aim for 6–8 random Chinese words, or use an English Diceware list (memorizing random English words isn't actually harder than Chinese ones in a Chinese input environment).

Future Trend: The Quantum Computing Threat

The development of quantum computers poses a long-term threat to password security. Grover's algorithm can halve the breaking difficulty of symmetric cryptographic systems (including password hashes), meaning that in the future, a 128-bit security password will be equivalent to today's 64-bit password. This threat remains in the distant future but has already prompted NIST to begin developing post-quantum cryptography standards.

Against the quantum threat, security experts recommend adopting longer passwords today (entropy above 128 bits). Using 20+ character full-charset random passwords, or passphrases of 7+ random words, provides sufficient quantum security margin.

Practical Advice: Setting Your Password Length Policy

Final advice: don't treat password length as a single numeric target. Instead, develop a tiered strategy based on account value and risk level. Users with a password manager can easily set all stored passwords to 20 characters or more since memorization isn't required. Manually memorized passwords — password manager master password, device login — should use 6–7 random word passphrases.

Regularly audit your password vault, identify passwords shorter than 12 characters, and prioritize updating high-value accounts first. This doesn't need to happen all at once — update one old password each time you log in, and you'll complete a full upgrade within months.

Try the online tool now — no installation, completely free.

Open Tool →