top of page
  • Writer's pictureAngus Stewart

How big is your key

This image was created with the assistance of DALL·E 2

How long should your password be in 2023? If you said eight characters, you are living in 2013. Modern graphics cards - now used for these types of computational tasks - are so fast an eight character alpha-numeric password could be cracked in minutes.

In today's digital age, safeguarding sensitive information is paramount. Passwords play a critical role in protecting our online identities and data. It's common knowledge that longer passwords tend to be more secure. Why? The logic is straightforward: an increased password length results in a greater number of potential combinations, making it significantly more challenging for cybercriminals to break into your accounts.

Security experts concur that an eight-character password is alarmingly easy to crack with the aid of readily available hardware like the powerful GPUs found in gaming PCs. For instance, using an Nvidia RTX 4090, Hive Systems estimated that it would take less than an hour to exhaustively test every possible eight-character combination of letters (both capital and lowercase), numbers, and symbols. This highlights the alarming pace at which technology is evolving, in line with Moore's Law.

Given the vulnerability of eight-character passwords, the question arises: How long is long enough? Although security experts do not universally agree on an exact number, there is a consensus that a minimum of 12 characters is essential for robust security. Many even argue that passphrase-based systems, composed of four or more randomly selected words, offer the best protection.

In fact, every expert surveyed emphasizes the superiority of length over complexity. They argue that adding numbers, letters, and symbols to a short password is less effective than ensuring the password is genuinely random. This randomization leads to a concept called "entropy," which quantifies the difficulty of guessing a password. An attacker who can make educated guesses can easily crack a low-entropy password based on personal information like your dog's name and birth year. In contrast, a truly random password generated by a password manager presents a formidable challenge.

According to an article on the Infosec Institute website, Daniel Brecht suggests that a 12-character random password represents a solid starting point for security. He cites a 2010 Georgia Tech Research Institute (GTRI) study, which demonstrated that a 12-character random password could thwart code-breaking and cracking software. Richard Boyd, a senior researcher at GTRI, firmly states that eight-character passwords are now insufficient and can be cracked in mere minutes. Therefore, for optimal security, passwords with 12 characters or more should be adopted.

Leading password manager developers, such as Bitwarden and 1Password, echo this sentiment. Bitwarden recommends passwords of 14 to 16 characters, referring to guidelines from the National Institute of Standards and Technology (NIST). NIST suggests that users should be encouraged to create lengthy passwords for greater security. 1Password, on the other hand, proposes that 11 to 15 characters are sufficient for most everyday users when properly generated. NordPass, delving into the mathematics of password security, advises a minimum of 12 characters, with 16 characters offering even greater protection.

Even Microsoft recognizes the significance of password length. In their article "Create and use strong passwords," they suggest a minimum of 12 characters and emphasize the importance of a combination of uppercase and lowercase letters, numbers, and symbols. Furthermore, they discourage the use of dictionary words or easily guessable terms.

Proton, the company behind Proton Mail, underscores the importance of strong, lengthy passwords. They argue that a 15-character password, randomly generated by a password manager, should be beyond the reach of modern computing capabilities. However, they also caution that as more people adopt passphrases, hackers may become more adept at cracking them.

In conclusion, the consensus among security experts, developers, and industry guidelines is clear: longer passwords are more secure. Passwords of at least 12 characters, or even longer, are recommended. While complexity has its place, the emphasis is on creating truly random passwords that are challenging for attackers to guess or crack. In an era where cyber threats are constantly evolving, robust passwords are a vital line of defense in protecting our digital lives.


Recent Posts

See All


bottom of page