How long should my password be?

Passwords are everywhere these days: email accounts, bank accounts, social media accounts—the list goes on! Having strong passwords across all of these platforms will keep your information safe from bad actors that want to use your private information for nefarious purposes like identity theft or financial fraud.

Experts agree that length is a critical element of password strength. In fact, the National Institute of Standards and Technology (NIST) states,

Password length has been found to be a primary factor in characterizing password strength.

To strengthen the security of your online information, ensure your passwords are a random mix of at least 14 to 16 characters.

To guide your password decisions, use the Password Strength Test chart below, which is based on the Bitwarden Password Strength Generator.

If you’re asking yourself the question, “how long should my password be?” The longer a password is, the harder it is to crack using brute force algorithms. However, the length of your password often depends on the website or service and their password acceptance policies. While 14 to 16 random characters will give you great security, more characters never hurts. However, some websites place limits on password length, so you may need to adjust accordingly.

The Bitwarden password manager can auto-generate and securely store passwords up to 128 characters natively. If you need an even longer password or an SSH key, those can be stored in a Custom Field or a Secure Note.

Some websites and services require numbers, capital letters, and special characters. In general, a wider spectrum of letters plus numbers, capital letters, and special characters will increase complexity and strengthen your passwords. It is also recommended that the mix of characters be completely random and unrelated to your personal information.

The four character sets are:

1. Numerical characters such as 12345

2. Lowercase characters such as abcde

3. Uppercase characters such as ABCDE

4. Special characters such as !$%&?

A password consisting exclusively of numerical characters has only ten possible options for each character (0 – 9). If a password is six numerical characters in length, a hacker can attempt one million possible combinations (10 x 10 x 10 x 10 x 10 x 10).

However, a six-character password consisting of numbers and lowercase letters has thirty-six options for each character (0 – 9 plus a – z). Now, rather than one million possible combinations, 2,176,782,336 possible combinations exist for a six-character password.

When password complexity meets randomness

A password’s overall randomness also contributes to better password security, and passphrases are an easy way to achieve that. Using a passphrase helps as it combines memorable words or phrases known to the user but less recognizable by hackers. Here’s an example of a randomly generated passphrase using the free web-based Bitwarden Password Generator:

Another way to strengthen passwords is to avoid commonly-used dictionary words or repeated or sequential characters, such as “secret”. Likewise, some very long passwords appear in password dumps with remarkable frequency. 

One such password is `1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/`, which, despite being thirty-four characters in length, would be among the first couple of thousand attempts by a brute force hacker (you will see why if you look at your keyboard). Lots of math can come into play, but in general, longer and more unique characters create stronger passwords.

Understanding and mitigating the risks

Brute force attacks are not the only reason for account hacking. Successful phishing attacks are a common cause of data breaches, and the easier it is to remember a password, the easier it is to disclose it to an unauthorized party. Further exacerbating this threat is if the same password is used for multiple accounts to save someone from remembering various log-in credentials. A recent report demonstrates how common this poor practice is by revealing that 9 out of 10 users reuse passwords across multiple sites. 

Using an automated password generator ensures that your password is both strong and truly unique.  You can easily build stronger passwords by using the Bitwarden Password Generator, a free and secure online tool designed to generate complex passwords for every account with customization options to support any site’s password policies. Additionally, you can test the strength of new or existing credentials with the free Password Strength Tester.

A password manager like Bitwarden helps generate and store unique and complex passwords for each account. The benefit of storing passwords in a password manager is that they are encrypted, hashed, and salted to prevent unauthorized access – which is a far safer option than storing passwords in plain text format in Word documents or Excel spreadsheets! 

Bitwarden also offers a password management solution with a built-in generator across all client applications, including browser extensions, mobile and desktop apps, the web vault, and the CLI. If you’d like to start generating and storing passwords securely, sign up for a personal account, or launch a free trial for your team or enterprise business.