Choosing secure passwords is an important part of protecting your online accounts. When creating a password, minimum password length is one key factor that impacts how strong your password is against hackers. But what exactly is the minimum recommended password length to aim for?
This article will provide guidelines and best practices around minimum password length. We’ll cover factors like password guidelines from major technology companies and standards bodies, research on password cracking, defense against brute force attacks, and more.
By the end, you’ll understand the general rules of thumb for how long your passwords should be to balance security and usability. Let’s dive in!
Minimum Password Length Guidelines
Many major technology companies and organizations provide password rules and guidelines. These provide a good starting point for understanding the minimum length generally recommended.
NIST Password Guidelines
The National Institute of Standards and Technology (NIST) publishes widely used digital identity guidelines. Their NIST Special Publication 800-63B includes password best practices.
NIST states that passwords should be at least 8 characters long. However, they recommend considering longer passwords up to 64 characters if your system can support them.
Microsoft Password Rules
Microsoft account passwords must meet these minimum requirements:
- At least 8 characters long
- It cannot contain parts of the user’s account name
Additionally, Microsoft recommends using the maximum allowed length for increased security. For example, Microsoft 365 allows for passwords up to 256 characters long.
Apple Minimum Password Length
For Apple IDs and iCloud, Apple requires passwords to have these attributes:
- Minimum 8 characters
- The mix of letters, numbers, and symbols
While not mandatory, Apple suggests using longer 12+ character passwords when possible.
Google Password Length Rules
The minimum standards for Google accounts are:
- At least 8 characters
- Should use a mix of uppercase, lowercase, numbers, and symbols
Google also automatically checks password strength and urges users to avoid common or compromised credentials.
So across major technology platforms, 8 characters tend to be the minimum password length permitted, with longer passwords encouraged. Next, let’s look at why longer passwords improve security.
Why Longer Passwords Protect Against Hacking
Length is an important attribute because longer passwords are more complex and entropy. This makes several types of common attacks much harder:
Brute Force Attack Protection
A brute force attack occurs when an attacker tries every possible password combination. A longer minimum length protects against this.
For example, for 6 lowercase letters, there are 2,176,782,336 possible passwords. But at 12 lowercase letters, there are over 730 trillion possibilities! This exponentially grows as length increases, making brute force less feasible.
Defense Against Dictionary Attacks
Hackers use huge lists of real dictionary words and combinations in a dictionary attack, hoping they match credentials.
With just one real word (usually under 8 characters), this attack will likely succeed. Adding additional words or characters makes dictionary attacks nearly impossible as permutations grow exponentially.
Randomness and Entropy
Password entropy measures the amount of randomness across all characters, which adds strength. Entropy increases dramatically with the longer length.
Randomly generated 12-character passwords are orders of magnitude more entropy than basic 8-character versions.
So, in summary – longer passwords protect against simple guessing, tools cycling through word lists, brute forcing all combinations, and low entropy patterns. Next, we’ll quantify how much cracking difficulty goes up with length.
Password Cracking Speed Analysis
To demonstrate mathematically why length matters, let’s see some estimates for how long it would take to crack passwords at different lengths.
For example, security expert Jeff Atwood analyzed research from password cracking tool Hashcat to find:
- 8-character password – can be cracked in 2 hours
- 10-character password – would take 59 days to crack
- 12-character password – would take over 100 years to crack
This shows even a small increase in password length makes a tremendous difference in cracking difficulty!
Password length is one of the easiest ways to exponentially boost strength without memorizing complex strings. Let’s look at some general guidelines next.
Recommended Minimum Password Length
Based on the analysis so far, here are some high-level rules of thumb for minimum password length:
The absolute Bare Minimum is 8 Characters
The bare minimum length for consumer passwords is 8 characters since that is the baseline permitted by most providers.
However, stopping at the absolute minimum is not ideal from a security standpoint.
12+ Characters Ideal for Most Accounts
A good standard minimum length that balances security with usability for average consumer passwords is 12 characters or longer when allowed.
At this length, which is generated randomly, the entropy grows to a very robust level against most brute force and dictionary attacks within reason. 12-character strings are manageable and can be memorized or stored without hassle.
Of course, push for longer lengths, like 15 or more characters, for accounts holding sensitive data like financial systems or admin access.
Up to 64 Characters for High-Security Systems
Minimums of 64 characters are reasonable for securing sensitive enterprise systems, user accounts providing privileges, and similar scenarios.
At this kind of length, which is randomly generated, essentially all brute force attacks become impossible from a computational standpoint. So enforcing long minimums like 64 characters drastically reduces risk vectors from password hacking.
Exceptions Where Shorter Passwords Work
There are some edge cases where shorter minimum passwords down to 6 characters may be acceptable or standard industry practice:
Low-Risk Systems
For very low-sensitivity systems like website comments, WiFi hotspot logins, consumer IoT devices, etc., strict length minimums beyond 6 characters could be overkill. However, we should still push for 8+ where feasible.
External Authentication Usage
Sometimes, shorter managed passwords are used with additional authentication factors like tokens, smart cards, biometrics, etc. These can compensate for shorter base passwords in some cases.
Conclusion and Best Practices
Minimum password length has significant impact on overall security and resilience to common password attacks like brute force and dictionary attacks.
To summarize password length guidelines:
- The absolute bare minimum is 8 characters
- 12+ characters provide robust security for average users
- 64+ character passwords protect highly privileged accounts
- 6+ characters only acceptable for some low-sensitivity use cases
- Combine with MFA/2FA when possible as extra safety
Focus first on length over complex special characters as an easier way to boost entropy substantially. To ensure you cross minimum bars, use a password manager to generate sufficiently long random passwords for each unique site and account.
Following strict minimum length rules, creating unique passwords across accounts, enabling MFA/2FA, and actively managing credentials will together provide vastly improved password protections compared to common pitfalls like reused passwords under 8 characters.
Put these password best practices into place for both professional and personal accounts to mitigate risk of devastating password hacking and data theft.