Is a longer password better than a complex one?

YES!! Longer passwords are better.

It is always easier to increase password combinations when increasing the power, not the base, of the exponential function. This is a mathematical argument for the new NIST Digital Identity Guidelines for the United States federal government that favors longer passwords over complex ones. If you don’t want to read the guidelines, let’s discuss why longer passwords are stronger and if formed correctly can be easier to remember.

Imagine you have a password with eight characters and only letters – uppercase and lowercase. That gives you 52 letters per character. The total number of all the combinations you can make out of those letters is 52 to the power of 8, or 53,459,728,531,456.

Let’s try to make this password stronger. The first idea is to require numbers and special characters in the password but keep the length at eight. It will be harder to remember such a password. There are more chances that the user will just write it down somewhere. This is not a good strategy but, still, let’s see whether it will make the password any stronger. So the total number of combinations to crack in this case is 72 (52 letters plus 10 numbers plus 10 special characters) to the power of eight, or 722,204,136,308,736.

Let’s see whether we can do any better. This time, we’ll keep the characters as only upper case and lowercase letters (total 52) but let’s require a couple of more characters in the password (10 instead of eight). It is not much harder to remember 10 letters vs eight – just pick a phrase that combines two words. So the total number of combinations to crack in this case is 52 in power of 10. 144,555,105,949,057,020. Adding two additional characters is almost 1,000 times better than adding numbers and characters for the same length without the risk that the password will become impossible to remember.

Add two more characters to the password with only letters. The length of the password becomes 12 and the number of combinations becomes 390,877,006,486,250,200,000. It is one million times better than 8-character password with special symbols. Still, a 12-characters password that contains only letters sounds like a reasonable thing to remember.

In summary, longer passwords are better. Try extending the length of your passwords to more than 12 characters by combining words rather than adding numbers and special characters that are harder to remember.