Password Security: Why Length Matters More Than Complexity

Adding uppercase letters and symbols feels like the right thing to do. In reality, a longer password — even one made up entirely of letters — is mathematically stronger. Here's why, and what it means for your security in practice.

Is It Better to Have a Long or a Complex Password?

Length wins over complexity. It's counterintuitive, but the numbers are clear.

Let's compare three passwords:

  • 8 characters, lowercase only (26 possibilities per position): 26⁸ = roughly 208 billion combinations
  • 8 characters, mixed types — lowercase, uppercase, numbers, symbols (95 possibilities per position): 95⁸ = roughly 6.6 trillion combinations
  • 16 characters, lowercase only: 26¹⁶ = roughly 43 quintillion combinations

The third password, the simplest-looking of the three, is incomparably stronger than the other two. Each additional character multiplies the total number of possibilities exponentially, whereas adding character types only produces a linear gain.

Why Does Replacing Letters With Symbols Do So Little?

Replacing an "a" with "@", an "o" with "0", or an "e" with "3" is a false sense of security. These substitutions have been known for decades and are built into every modern cracking tool. "P@ssw0rd" is not significantly more resistant than "password" against an automated attack.

This habit creates an unjustified feeling of safety. It comes from the earliest computer security guidelines, written at a time when attack tools were far less sophisticated. Today, a genuinely long and random password is far better than a short one dressed up with symbols.

Should You Change Your Password Regularly?

No. Periodic password changes have been officially discouraged since 2017 by NIST, the U.S. standards body for cybersecurity.

This goes back a long way. In 2003, Bill Burr, then a NIST employee, authored publication SP 800-63, which became a global reference. It recommended mandatory complexity and password changes every 90 days. In 2017, after retiring, he publicly acknowledged that those recommendations were based on assumptions from the 1980s, with no solid empirical evidence behind them.

The problem with forced rotation is concrete: it pushes users toward predictable patterns — "January2024", "January2024!", "February2024!". That's exactly the kind of pattern an attacker tests first.

A strong password has no expiration date. Change it only when a compromise is confirmed or suspected.

What Is the Difference Between an Online and an Offline Attack?

This is a fundamental distinction that radically changes the level of security required.

In an offline attack, the attacker has obtained a copy of the database (through a data breach or stolen backup). They work locally, with no external constraints. With a modern GPU, they can test several billion combinations per second against an MD5 hash, or several hundred million against bcrypt. Only the password's length and the quality of the hashing algorithm make a difference.

In an online attack, every attempt goes through the network and the server. Defensive mechanisms change the equation: progressive delays between attempts, temporary lockouts after multiple failures, CAPTCHAs, suspicious IP detection. With a simple one-second delay between tries, a 10-character password becomes practically uncrackable.

A properly protected online service can tolerate a reasonably shorter password than a file that could be exfiltrated and attacked offline.

How Does a Server Protect Stored Passwords?

In the event of a database breach, it's the hashing algorithm that determines how well passwords hold up. Not all algorithms are equal.

MD5 and SHA-1 are obsolete: they can be cracked at billions of attempts per second. Bcrypt, designed to be deliberately slow, remains a proven standard with an adjustable computational cost. Argon2, winner of the Password Hashing Competition in 2015, is now the recommended choice: it resists attacks via GPUs and specialized hardware (ASICs).

Salt completes the picture: by adding a unique value to each password before hashing, it ensures that two users with the same password produce different hashes. This neutralizes rainbow table attacks.

Why Should You Never Reuse a Password?

Because billions of username/password pairs from past breaches are freely circulating. Attackers test them automatically against dozens of services — this is credential stuffing.

If you use the same password for your email and a forum that was breached three years ago, your email account is potentially compromised. And email is often the master key to everything else: it's the channel through which "forgot my password" links for all your other accounts are sent.

The only defense: a unique password for every service, no exceptions. This is what makes a password manager indispensable in practice — no one can memorize dozens of long, random passwords.

Services like Have I Been Pwned (haveibeenpwned.com) let you check whether an email address or password appears in a known compromised database. It's a useful tool for making an informed decision about changing a password, rather than waiting for an arbitrary rotation schedule.

What Is a Passphrase and Why Does It Work?

A passphrase is a sequence of random words used as a password — for example, "horse battery staple mountain cactus." It's long, strong, and memorable all at once.

The entropy of a five-word passphrase drawn from a dictionary of 7,776 entries (the Diceware method) is comparable to that of a random 12-to-14-character password. It's far easier to remember.

A passphrase is especially well suited as a master password for a password manager — the one password you genuinely need to memorize. For everything else, a built-in generator is preferable: it produces cryptographically random output without the human biases that our brains naturally introduce. Octopussian's password manager includes exactly this kind of generator.

Is a Strong Password Enough to Stay Protected?

No. Several attack vectors make the intrinsic strength of a password irrelevant.

Shoulder surfing — someone glancing over your shoulder in an open office or on public transit — is underestimated because it doesn't look like a cyberattack. A keylogger, whether hardware or software, captures the password before it ever reaches the server. And phishing tricks users into entering their own password on a fraudulent site: in that scenario, length and complexity are completely beside the point.

These realities make the case for a layered approach: a strong password is necessary but not sufficient. Two-factor authentication and vigilance against phishing complete the picture.

Why Is Password Security a Collective Issue in the Workplace?

Because a single compromised account can expose an entire shared workspace — colleagues' data, customer data, and the company's reputation.

A team member who doesn't properly secure their access to a task management tool might think the stakes are low. But that tool likely contains specifications, client communications, and details about internal infrastructure. An attacker who gets in through that door can move laterally toward far more sensitive targets.

Password security within a team is a shared responsibility. That's what justifies administration features in a password manager: enforcing minimum requirements, verifying that every team member has enabled two-factor authentication, and being able to revoke access quickly without depending on individual goodwill.

Why Do Some Sites Impose Absurd Password Rules?

Because their systems don't handle passwords correctly on the server side. A maximum length of 10 or 12 characters, restrictions on certain special characters, or rejection of certain combinations "for security reasons" often betray a password stored in plain text or poorly hashed.

A properly hashed password (using bcrypt or Argon2) has no reason to be length-limited. If a service prevents you from using a long, random password, that's a red flag about the overall quality of its security.

Key Takeaways

  • Prioritize length over complexity. 16 lowercase characters are stronger than 8 characters of mixed types.
  • Don't change your passwords on a routine schedule. NIST has officially discouraged this since 2017.
  • One unique password per service. Credential stuffing exploits reuse at scale.
  • A passphrase for what you need to remember. A generator for everything else.
  • In a team setting, it's a collective issue. One weak account puts everyone at risk.

See how Octopussian simplifies team password management →

Free signup

No credit card. Sign up in 1 minute

Boost your productivity starting today. Sign up and try for free.

We use your email and name
to create your Octopussian workspace.

or
@ Continue with my email

We respect your privacy. Your information will not be used for any other purpose.
By signing up, you agree to our Terms and Conditions and Privacy Policy