When you create an account online, you’ll usually see a suggested or required length for your password. But when every website or platform has a different length suggestion, it can be difficult to know exactly how long your password should be.
6 characters? 12 characters? 24 characters? The options are endless.
- The basics of password safety
- Traditional password requirements for websites
- How important is password complexity?
- What makes a password strong: minimum vs maximum length
- Password strength and entropy
- Password length versus complexity
- Remember complex passwords with 1Password
- The passwords you need to memorize (and type)
- 1Password’s generator = strong password length
The short answer is that when using 1Password to create passwords you don’t need to remember, you should go with the one that 1Password suggests. Depending on the version of 1Password you’re using, you may see a suggested password in your browser – in which case go with that. If you’re taken to 1Password’s password generator instead, pick a length of 20. And for passwords which you need to remember, use the 1Password wordlist generator with four words.
The long answer? Continue reading to find out how long a password should actually be and what makes a password strong enough to secure your online presence.
The basics of password safety
First, let’s look at the different kinds of passwords at our disposal.
Passwords you need to memorize. There will always be some passwords that you need to know by heart. The password for your company laptop, for example, or the one required to unlock your password manager. We recommend using a strong but memorable passphrase in these instances.
Passwords you don’t need to memorize. If you’re using a password manager like 1Password, you don’t have to remember the rest of your login credentials. The password manager will do the hard work for you by creating, storing and autofilling passwords that are too strong, unique, and random for the human brain to remember.
You should be using a password generator to come up with both types of passwords. It can be tempting to think that your grandma’s pet’s name is secure enough to protect your assets. However, human-created passwords are easily figured out by password cracking systems. The people who develop and configure cracking software know more about how humans create passwords than anyone else.
So moving forward, we’ll assume that you are using a secure password generator.
Traditional password requirements for websites
Most of the requirements that websites and other services ask for don’t apply if you’re using a password generator. Those rules were designed to prompt users to come up with strong passwords on their own, without the support of a password manager.
It turns out these rules and requirements aren’t necessary. In fact, experts advise against imposing any requirements other than a minimum password length. Nonetheless, people may still be faced with those sorts of password requirements for a long time until websites around the world update their policies.
How important is password complexity?
There’s a pervasive belief that requiring numbers and special characters increases password strength. But the effects of these requirements differ for human-created passwords and properly generated passwords.
- An 11-character, human-made password with mixed-case letters, numbers, and symbols might look like this:
- An 11-character password generated by 1Password using only mixed-case letters might look like this:
The generated password, even though it doesn’t have any numbers or special characters, is going to be significantly harder to guess than the human-created one.
It might sound illogical, but the same complexity requirements that can help humans come up with better passwords actually weaken machine-created ones. The good news is that the machine-created ones are so strong to begin with that the harm done by complexity requirements is tiny.
What makes a password strong: minimum vs maximum length
Most websites typically require a minimum password length of 8–10 characters. When tasked with creating a new password, many people tend to come up with something as short as possible, as quickly as possible. They want to sign up, log in, and move on with their day.
We get it! But here’s the catch: Only hitting the minimum password requirements makes you more vulnerable to having your password cracked. Unless you are required to do otherwise, make sure that your password is at least 11 characters long.
So what is an example of a strong password? Take a look at the following:
These examples show that properly generated passwords don’t always need an excessive amount of special characters. 1Password’s password generator is designed to create complex passwords with numbers and symbols if needed, since those are still required by many sites.
1Password’s default generated password length is 19 or 20 characters, depending on the version. But that’s actually overkill! When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user. However, we know that most people feel more comfortable and secure with a longer version.
Password strength and entropy
Defined as a measure of uncertainty or randomness, the word “entropy” refers to the strength of your password.
Before we go any further, we need to talk about the method used to create passwords, and how that affects entropy. Let’s say you have a scheme that generates 11-character passwords from letters, numbers, and symbols. Every possible outcome should be just as likely – if there’s a higher chance that it’ll come up with
lwlXgHeaWiq, then using entropy as a framework doesn’t make sense. Some popular password generators don’t create passwords uniformly, but we’ve ensured that 1Password’s secure password generator does.
So how does entropy work?
A password with 20 bits of entropy is twice as hard to crack as one with 19 bits. The 20-bit password is half as hard to crack as a password with 21 bits. A password with 20 bits of entropy is drawn uniformly and randomly from 2²⁰ possible distinct passwords. That’s just over 1 million, and approximately the strength you would get from a 4-character generated password.
Because password-guessing systems can make hundreds of thousands of guesses per second (if the passwords are well hashed) or tens of millions of guesses per second (if the passwords are not well hashed), a 20-bit password is far too weak for most purposes. An 11-character password drawn only from mixed case letters has around 65 bits of entropy, which is more than sufficient for almost any purpose.
Password length versus complexity
Using entropy as a measurement, we can return to the question of how length and character complexity contribute to password strength.
Let’s contrast two pairs of password generation settings — 11 or 12 characters, and requiring numbers versus letters only.
|11 characters||12 characters||16 characters||20 characters|
The lesson here is that while adding numbers increases the strength, the passwords get a greater strength increase through even a small increase in length. A larger increase in length creates an enormous difference for creating difficult passwords. As a rule of thumb, each bit corresponds to doubling the number of possible options (and so doubling the amount of work an attacker needs to do).
This makes the 16 character, letters-only password (91 bits) 8 million times harder to guess than the 12-character (68 bits) one, while the 12-character password with numbers (71 bits) is only eight times harder to crack than the letters-only one.
Here’s an example to give you an idea of what some of these bits translate to. If a 70-bit password is well hashed, it is almost certainly outside the range of what a major government could crack. If it’s poorly hashed, it might be within the power of a major government willing to dedicate at least hundreds of thousands of dollars into the cracking effort. The circumstances under which anyone would choose that line of attack are hard to imagine. A 90-bit password is well outside the range of what even the most determined and well-resourced attacker could do.
Remember complex passwords with 1Password
Remembering a long password is hard. Remembering a lot of long passwords? Yikes.
That’s where a secure password manager like 1Password comes in. It will generate, remember and autofill your credentials for you, so you don’t have to worry about memorizing 15–20 characters of gibberish.
The passwords you need to memorize (and type)
The exceptions to this are the passwords you have to remember, like the one required to log into your 1Password account. In these instances, the type of password we normally recommend – one that’s composed of random characters – won’t be realistic, because it’s simply too difficult to remember. Instead, you should use passphrases, which combine a handful of real but unrelated words, like “ball-orange-moon-car.”
A four-word passphrase (56 bits) is strong enough for the password that you use to log into 1Password because we hash it well. We estimate that it would cost an attacker about $76 million USD to crack that.
Your Secret Key means that password-cracking isn’t a viable attack on the data that we hold. The strength of your account password and our hashing is, however, your defense against a cracking attempt against data stolen from one of your devices.
How long would a cybercriminal need to crack a passphrase? That depends on the resources the attacker is able to throw at it, so it’s more useful to talk in terms of costs to the attacker instead of time. A four-word (56 bits) account password would cost the attacker around 76 million dollars to crack, and a five-word one (71 bits) would require more than a trillion dollar cracking effort given how these are hashed. Even if a government could crack a four-word passphrase, they would likely try a less expensive line of attack.
The bottom line: the password for your 1Password account is a critical part of your digital defences. Since this is the password that protects everything you store in 1Password, it’s important to choose a good one.
1Password’s generator equals strong password length
One of the benefits of using properly generated passwords is that we can know exactly how strong they are. The passwords maintain their strength even when the attacker knows precisely how they were generated. This is the opposite of many of the clever schemes that people come up with for creating passwords.
That all leads to an interesting paradox.
The more popular a password scheme becomes, the more attackers will tune their systems to adjust to it. A proper password generator, however, remains secure even if everyone uses it and the attacker knows every detail of the scheme. I like to call that the “Kantian Principle” of password creation advice: It remains good if everyone does it.
Ready to protect yourself with passwords and passphrases that are strong and sufficiently long? Visit the 1Password password generator to get started.
Editor’s Note: This article was last updated on December 6th, 2021.