{"id":65932,"date":"2023-07-20T11:00:00","date_gmt":"2023-07-20T15:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=65932"},"modified":"2024-04-22T21:54:52","modified_gmt":"2024-04-23T01:54:52","slug":"password-length-better-than-complexity","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/password-length-better-than-complexity","title":{"rendered":"Is Password Length Better Than Complexity?"},"content":{"rendered":"\n
Unfortunately, we only seem to care about passwords when they\u2019re hacked. And that happens more often than you may think.<\/p>\n\n\n\n
According to Verizon\u2019s 2022 Data Breach Investigations Report<\/a>, stolen credentials were involved in nearly half of all data breaches, which is a 30% increase since 2017.<\/p>\n\n\n\n Although most employees know the dangers associated with reusing passwords or creating passwords that are easy to remember, they still do it. Much of that behavior has to do with password fatigue<\/a>. Being forced to change their tens or even hundreds of passwords every month or quarter almost encourages people to use weak passwords.<\/p>\n\n\n\n But that doesn\u2019t excuse the fact that passwords present an enormous risk. So how do you reduce the chances of breaches involving weak or stolen passwords? Two of the best ways to improve your password management<\/a> are to increase password length and password complexity.<\/p>\n\n\n\n In this piece, we\u2019ll discuss the differences between password length and complexity, explain which is more important, and offer suggestions for ensuring your company\u2019s data and your customers\u2019 data stay safe from password attacks.<\/p>\n\n\n\n Password length refers to the number of characters (letters, numbers, punctuation marks, etc.) in a password. Experts recommend using longer passwords when possible. The longer a password is, the more possible permutations it has, making it harder and harder for cybercriminals to crack.<\/p>\n\n\n\n But length isn\u2019t the only thing that matters when creating a strong password \u4e00 complexity is another key component. Password complexity refers to the mix of characters in a password. Complex passwords have a diverse combination of characters that don\u2019t necessarily make logical sense. For example, using people\u2019s names, numbers in numerical order, or other intelligible words in a password makes it much easier to guess than a random set of numbers, uppercase letters, lowercase letters, and symbols.<\/p>\n\n\n\n And it turns out we aren\u2019t very creative when it comes to passwords; 24% of Americans<\/a> have used some form of these passwords: abc123, Admin, and 123456. To make it easier for users to create highly complex passwords, many single sign-on (SSO) password managers<\/a> come with built-in random password generators.<\/p>\n\n\n\n The National Institute of Standards and Technology (NIST) sets forth password guidelines every few years<\/a>. While password length and complexity are both highlighted in the report, the latest NIST recommendations state that password length is better than complexity. This claim stems from the fact that enforcing character requirements doesn\u2019t always produce robust passwords.<\/p>\n\n\n\n For instance, let\u2019s say a company forced their employees to create passwords with at least one uppercase letter, one lowercase letter, a number, and a special character. Even with these requirements, people\u2019s passwords could still end up being something like, \u201cAbc123*,\u201d which is not much better than what they might\u2019ve used had the requirements not been in place.<\/p>\n\n\n\n Longer passwords make it tougher for cyberattackers to solve because there are exponentially more options with every added character. To put this in perspective, a 12-character password takes 62 trillion times longer to crack<\/a> than a six-character password. <\/p>\n\n\n\n And if you add in some complexity on top of that, passwords become even more challenging to decode. A 12-character password containing at least one uppercase letter, one symbol, and one number would take 34,000 years for a computer to crack<\/a>.<\/p>\n\n\n\n Now that we\u2019ve discussed how length and complexity affect password security, it\u2019s time to improve your overall password posture. Here are just a few ideas:<\/p>\n\n\n\n You probably already have security training for your employees, but keeping them up to date on the newest NIST password hygiene recommendations is a must. After all, they are the ones creating and updating their passwords, and they can\u2019t keep them secure if they don\u2019t know what password management best practices<\/a> to follow.<\/p>\n\n\n\n Setting password rules can significantly impact your password security. Institute requirements around password length and complexity and set regular reminders for employees to rotate and update passwords. As much as this helps, it also puts additional strain on IT.<\/p>\n\n\n\n Enforcing these policies becomes much easier and more streamlined with a password manager. The best password managers have built-in password generators that create randomized, unique passwords, save those passwords to a vault for safe-keeping, and connect to multi-factor authentication providers to guarantee that the person attempting to access a certain system is authorized to do so.<\/p>\n\n\n\n Single sign-on<\/a> and multi-factor authentication<\/a>, SSO and MFA for short, can make logging into several applications easier and more secure. With SSO, users only have to log in once to access all of their IT resources. In other words, one username and one password are all they need to memorize to do their day-to-day work.<\/p>\n\n\n\n MFA adds a second or third factor to the login process, whether it\u2019s confirming identity via SMS, authenticator app, or biometrics<\/a>. Overall, passwords become much more secure when you limit the number of passwords employees have to remember and add extra authentication steps. <\/p>\n\n\n\nWhat\u2019s the Difference Between Password Length and Complexity?<\/h2>\n\n\n\n
Password Length vs. Complexity: What\u2019s More Important?<\/h2>\n\n\n\n
How to Improve Password Security<\/h2>\n\n\n\n
Employee Education <\/h3>\n\n\n\n
Password Management Policies <\/h3>\n\n\n\n
Use Single Sign-On and Multi-Factor Authentication<\/h3>\n\n\n\n