'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
How long should a password be in 2023? You're asking the wrong question
A longer password is more secure. It's just common sense, right? Increasing the length of a password means there are more combinations available. That in turn means a brute force attack, in which someone uses an automated system to try every combination in an effort to crack the code, will take longer.
Also: The best password managers
Security experts generally agree that a password of eight characters is too easy to crack with the help of readily available hardware like the GPU in a gaming PC. Using an Nvidia RTX 4090, for example, Hive Systems calculated that it would take less than an hour to blast through every possible 8-character combination of letters (capital and lowercase) and numbers and symbols. That's twice as fast as a mainstream graphics card from two years ago, in yet another example of Moore's Law in action.
So, if eight characters is too short, how long is long enough? Is there a magic number? Security experts don't agree on the exact number, I discovered in a review of published recommendations from a wide range of sources. But they have reached a broad consensus: At least 12 characters, but more is better. And maybe a passphrase consisting of four or more random words is best of all.
Also: What are passkeys? Experience the life-changing magic of going passwordless
Every expert we surveyed agreed that increasing the length of a password is much more important than adding complexity requirements, such as mandating the use of numbers, letters, and symbols. But even more important is ensuring that the password is truly random. Add all that together and you get a measurement called entropy, which measures the difficulty of guessing a password.
An attacker who can make educated guesses is likely to make short work of breaking a low-entropy password based on your dog's name and the year you were born; a truly random password assigned by a password manager is much more of a challenge.
But how long?
In an article at the Infosec Institute website, Daniel Brecht examines "Password security: Complexity vs. length," and makes a case for 12 characters being a good starting point:
Short length passwords are relatively easy to break, so the idea is to create lengthier ones for added security and to make them less predictable. So what is the desired or required length? A 2010 Georgia Tech Research Institute (GTRI) study told how a 12-character random password could satisfy a minimum length requirement to defeat code breaking and cracking software, said Joshua Davis, a research scientist at GTRI. Richard Boyd, a senior researcher at GTRI says, "Eight-character passwords are insufficient now… and if you restrict your characters to only alphabetic letters, it can be cracked in minutes." In any case, to be on the safe side, a password length of 12 characters or more should be adopted.
The developers of some popular password managers agree in principle. At the Bitwarden Blog, for example, the answer is authoritative and punctuated with an actual exclamation point: "Make your password 14 to 16 characters or more!"
That's not just a random recommendation, either. Bitwarden's advice is derived from a National Institute of Standards and Technology (NIST) publication, NIST SP 800-63B - Digital Identity Guidelines, which notes, "Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes."
Also: The best VPN services: Expert tested and reviewed
Meanwhile, rival 1Password has a similar take in their blog post, which confidently asserts, "This is how long your passwords should be": "1Password's default generated password length is 19 or 20 characters, depending on the version. But that's actually overkill! When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user."
The folks at NordPass tackle the question with math, concluding that "ideally you'll want [a secure password] to be a minimum of 12 characters. … If you really want to future-proof yourself, 16 characters is truly the best and most realistic length you'll likely be able to rely on, but more is even better."
In fact, that broad consensus has made it to Windows, where a Microsoft Support article "Create and use strong passwords" includes these basic password recommendations:
- At least 12 characters long but 14 or more is better.
- A combination of uppercase letters, lowercase letters, numbers, and symbols.
- Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
- Significantly different from your previous passwords.
The privacy-focused folks at Proton (makers of Proton Mail) argue that a password composed of 15 characters generated randomly by a password manager should be "out of reach of modern computing capabilities."
Also: Windows security: How to protect your home and small business PCs
Or maybe you shouldn't use a password at all, they conclude: "If you want to create a strong password using a series of words (a 'passphrase'), most info security firms recommend using at least four words that aren't very common. As more people switch to passphrases, however, hackers will get better at cracking them."
Maybe you shouldn't worry about how many letters are in your password. Maybe the real question is how many words are in your passphrase. Just don't use "correct horse battery staple." That one's been taken.