Is Password Length Better Than Complexity?

Written by Kelsey Kinzer on July 20, 2022

Share This Article

Unfortunately, we only seem to care about passwords when they’re hacked. And that happens more often than you may think.

According to Verizon’s 2022 Data Breach Investigations Report, stolen credentials were involved in nearly half of all data breaches, which is a 30% increase since 2017.

Although most employees know the dangers associated with reusing passwords or creating passwords that are easy to remember, they still do it. Much of that behavior has to do with password fatigue. Being forced to change their tens or even hundreds of passwords every month or quarter almost encourages people to use weak passwords.

But that doesn’t excuse the fact that passwords present an enormous risk. So how do you reduce the chances of breaches involving weak or stolen passwords? Two of the best ways to improve your password management are to increase password length and password complexity.

In this piece, we’ll discuss the differences between password length and complexity, explain which is more important, and offer suggestions for ensuring your company’s data and your customers’ data stay safe from password attacks.

What’s the Difference Between Password Length and Complexity?

Password length refers to the number of characters (letters, numbers, punctuation marks, etc.) in a password. Experts recommend using longer passwords when possible. The longer a password is, the more possible permutations it has, making it harder and harder for cybercriminals to crack.

But length isn’t the only thing that matters when creating a strong password 一 complexity is another key component. Password complexity refers to the mix of characters in a password. Complex passwords have a diverse combination of characters that don’t necessarily make logical sense. For example, using people’s names, numbers in numerical order, or other intelligible words in a password makes it much easier to guess than a random set of numbers, uppercase letters, lowercase letters, and symbols.

And it turns out we aren’t very creative when it comes to passwords; 24% of Americans have used some form of these passwords: abc123, Admin, and 123456. To make it easier for users to create highly complex passwords, many single sign-on (SSO) password managers come with built-in random password generators.

Password Length vs. Complexity: What’s More Important?

The National Institute of Standards and Technology (NIST) sets forth password guidelines every few years. While password length and complexity are both highlighted in the report, the latest NIST recommendations state that password length is better than complexity. This claim stems from the fact that enforcing character requirements doesn’t always produce robust passwords.

For instance, let’s say a company forced their employees to create passwords with at least one uppercase letter, one lowercase letter, a number, and a special character. Even with these requirements, people’s passwords could still end up being something like, “Abc123*,” which is not much better than what they might’ve used had the requirements not been in place.

Longer passwords make it tougher for cyberattackers to solve because there are exponentially more options with every added character. To put this in perspective, a 12-character password takes 62 trillion times longer to crack than a six-character password. 

And if you add in some complexity on top of that, passwords become even more challenging to decode. A 12-character password containing at least one uppercase letter, one symbol, and one number would take 34,000 years for a computer to crack.

How to Improve Password Security

Now that we’ve discussed how length and complexity affect password security, it’s time to improve your overall password posture. Here are just a few ideas:

Employee Education 

You probably already have security training for your employees, but keeping them up to date on the newest NIST password hygiene recommendations is a must. After all, they are the ones creating and updating their passwords, and they can’t keep them secure if they don’t know what password management best practices to follow.

Password Management Policies 

Setting password rules can significantly impact your password security. Institute requirements around password length and complexity and set regular reminders for employees to rotate and update passwords. As much as this helps, it also puts additional strain on IT.

Enforcing these policies becomes much easier and more streamlined with a password manager. The best password managers have built-in password generators that create randomized, unique passwords, save those passwords to a vault for safe-keeping, and connect to multi-factor authentication providers to guarantee that the person attempting to access a certain system is authorized to do so.

Use Single Sign-On and Multi-Factor Authentication

Single sign-on and multi-factor authentication, SSO and MFA for short, can make logging into several applications easier and more secure. With SSO, users only have to log in once to access all of their IT resources. In other words, one username and one password are all they need to memorize to do their day-to-day work.

MFA adds a second or third factor to the login process, whether it’s confirming identity via SMS, authenticator app, or biometrics. Overall, passwords become much more secure when you limit the number of passwords employees have to remember and add extra authentication steps. 

Learn more about the differences and similarities between SSO and MFA in Single Sign-On vs MFA.

Strengthen Your Password Management

While employees are fully capable of creating long and complex passwords, depending on them to uphold password best practices may not be the best approach. We are all human. To lessen the stress on employees and help them focus on what they do best, many organizations have turned to password management solutions like JumpCloud IdentityOS.

The JumpCloud IdentityOS app makes password management frictionless, allowing users to maintain and protect their passwords straight from their JumpCloud-managed devices. IdentityOS supports MacOS and Windows devices and automatically sends complexity checks, password rotation reminders, and other updates to keep passwords secure and up to date.

Reduce the burden on your IT team and learn more about the self-service password management approach of the IdentityOS app.

Kelsey Kinzer

Kelsey is a passionate storyteller and Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter