Password Length vs Complexity: Which Is More Important?

Password Length vs Complexity: Which Is More Important?

Apr 15, 2024

In this video, learn about the differences between password length and complexity, which is more important, and four tips to improve password security in your organization. Visit the JumpCloud blog for additional reading: https://jumpcloud.com/blog/password-length-better-than-complexity

Learn more about:

Schedule a demo: https://jumpcloud.com/demo

Resources and social media:

Transcript:

It’s no secret that passwords aren’t foolproof. In fact, the most common way that hackers infiltrate an organization is through stolen credentials.

But until the day that everything has shifted to passwordless authentication, passwords are still necessary. So, how can we make them as strong and effective as possible?

We’ll start with a common question: is password length or complexity more important?

Let’s break it down.

Length refers to the number of characters in a password.

Complexity refers to the variety of characters in a password.

For example, "cloudyrainytuesdayafternoon" is long, and "n$0rL8w#" is complex.

But which password is stronger?

According to the latest guidelines from the National Institute of Standards and Technology, password length is more important than password complexity.

Why is that?

While both length and complexity can strengthen a password, there are some issues with password complexity. First, complex doesn’t equal robust.

For example, "n$0rL8w#" uses upper and lower case letters, a number, and a special character — but it’s not very unique or hard to guess. Research shows that users often create predictable passwords, like this one, when they’re given complexity requirements.

In addition, complex passwords can be hard to remember. This prompts users to store passwords insecurely — like writing them down on paper — and request resets more often.

By contrast, long passwords can actually be easier to remember.

For example, the long password, “cloudyrainytuesdayafternoon” is much easier to remember than this complex jumble of characters. When users can remember their passwords, they’re less likely to write them down or request password resets.

In addition, brute-force password cracking takes time. With every character you add to your password, you increase the time it would take to crack it. This effect is exponential: it would take 62 trillion times longer to crack a 12-character password than a six-character password.

Of course, strong passwords are only part of the equation. What else can you be doing to improve authentication security? Consider these four tips.

First, enforce password policies. Follow NIST guidelines — linked below — and prioritize length by requiring at least 12 characters in users’ passwords. Educate users on best practices, and require them to rotate their passwords regularly.

Second, use single sign-on, or SSO. With SSO, users only have to remember one set of credentials to log into their accounts. Ideally, SSO should be applied everywhere, so one set of credentials grants users access to everything they need to do their work.

Third, implement multi-factor authentication, or MFA. MFA adds a layer of security that exponentially increases the security of the password. With MFA in place, a compromised password is no longer enough to lead to a breach.

Finally, invest in a password management tool. Password managers dramatically improve password security. JumpCloud Password Manager, for example, facilitates secure password creation, storage, and sharing among trusted users. It can even store and auto-fill MFA tokens to make authentication that much easier for your users.