ProtonBlog(new window)

How long should your password be?

Share this page

For decades, information security experts have tried to get people to create stronger passwords by requiring a minimum length (usually eight characters), plus at least one capital letter, one number, and one special character (like @, #, or !). This strategy is now widely considered to be a failure. Many people simply created an obvious variation of their previous password. “Letmein1!” is as easy for a computer to crack as “letmein”, even though it’s longer and more complex.

This goes to show that there are multiple elements that factor into how strong your password is. Length is one of them. In this article, we’ll explain some concepts you should consider when creating a password, as well as some guidelines for how long your password should be.

Ways to crack a password

First, you should understand something about how hackers steal passwords. Bad guys typically begin trying to crack a password by using a dictionary attack. A dictionary attack works by drawing on a massive database of dictionary words, real passwords exposed in previous data breaches, names, as well as common combinations (such as last name + first name + date) and substitutions (like “@” instead of “a”). To get an idea of what kind of data hackers can glean from a password leak, check out this report(new window).

If a dictionary attack fails, the hacker will have to use a brute force attack. This type of attack is much slower because it means the computer will go through every possible combination of characters, one by one. Some computers(new window) can guess hundreds of billions of passwords per second.

Keep in mind, hackers generally are not trying to guess your password at the login page of your online account. Instead, they will usually attempt dictionary or brute force attacks on a database of hashed passwords(new window) stolen from a company’s servers. There are various ways companies can hash passwords to bog down the process for hackers, which can help keep your plaintext password secure. But it’s better to create a strong password yourself rather than  place all your trust in the cybersecurity practices of a website(new window).

How to prevent brute force attack

There are two ways to make it more difficult for someone to brute force your password: make your password longer (by using more characters), and make it more complex (by using a greater variety of character types, like numbers and capital letters). Note, however, that length is much more effective than complexity at preventing a brute force attack.

Every additional character in a password increases the length of time it would take a supercomputer to guess your password by an order of magnitude, even if you only use lower-case letters. Adding complexity also helps because it will broaden the set of characters the computer has to check, but not by nearly as much.

There are online calculators(new window) that claim to tell you how long it would take a computer to crack your password. These are not precise because of all the variables involved, such as computing power and the hash used. But they can serve to illustrate a key point about password length: a six-character random-generated password using a mix of character types would take seconds to crack, whereas a 10-character password with only lower-case letters could take several years.

Why a long password isn’t always better

Brute force attacks are not very efficient and can be easily thwarted by merely creating a longer password. That’s why dictionary attacks are a more efficient way to crack passwords. Dictionary attacks take advantage of human weaknesses, like predictability and poor memory. The need to remember passwords leads users to choose simple passwords, which are also easy to guess.

With dictionary attacks, therefore, length can be a misleading measure of password strength. For example, “F3rnand3zJ@nu@ry1983” looks like it could be a very strong password because it contains lots of numbers, capital letters, and special characters. But this password would probably be cracked in a dictionary attack: It’s just a last name, a month, and a year. The algorithm could easily look for predictable character substitutions and capitals.

How long should your password be?

The length of your password primarily depends on whether you’re using a password with random characters or one with a series of words.

If you want to create a strong password (new window)using a series of words (a “passphrase”), most info security firms recommend using at least four words that aren’t very common. As more people switch to passphrases, however, hackers will get better at cracking them.

If you’re using a password composed of random characters, about 15 should put it out of reach of modern computing capabilities. However, we don’t recommend using random-character passwords unless you’re using them with a password manager, which will help you generate and store them securely. That way you don’t have to remember them or write them down, and they will be unique.

To help with this, we’ve developed Proton Pass, our very own password manager. Not only only will it generate, store, and autofill passwords as you go, but also was created with your privacy in mind.

Unlike the password manager built into most browsers (Chrome password manager(new window) being the prime example), Proton Pass uses end-to-end encryption(new window) to keep your data safe; so safe, in fact, that even we can’;’t read it.

Adding to that, Proton Pass is easy to use with a handy browser extension that will offer to save new password and fill in any fields it comes across. Also, it can even remember credit card details and keep secure notes for you.

Proton is a company that was founded by scientists who met at CERN for the express purpose of making the internet a safer and more private place. If that sounds like something you’d like to be a part of, create a free Proton Pass account today and join us.

<div class=”text-center”><a class=”btn inline-block rounded-full font-bold btn-small bg-purple-500 text-white hover:text-white focus:text-white” href=”https://account.proton.me/pass/signup“>Get Proton Pass</a></div>

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail