How long should my password be?

***UPDATED 8-13-19 with new password information from the National Institute of Standards and Technology***

Some people roll their eyes. Some people groan out loud.

Coming up with a new password can take top spot in some people’s Most Annoying Tasks list.

So, just how long does it really need to be?

Watch here:

How Long?

Doug needs another cup of coffee.

He has to come up with yet another password for yet another account.

And he’s about to give up and go with “12345.”

But wait —  security experts say you should make your password at least three times as long to keep the bad guys from breaking in.

Shoot for at least 15 characters.

And more is even better. (Some security experts use 30-character passwords!)

Why So Long?

Attackers can use automation to keep guessing your password until they nail it.

If you use common, short passwords like “cheese” or “banana,” well, the bad guys are probably already in your account.

And if you use the same password on many accounts, you’re making the bad guys very happy.

Research shows they can crack a five-character password in seconds, and an eight-character password —— depending on the complexity — in a matter of hours.

But a 15-character password will take much longer.

And it’s not as hard to make as it may sound.


Alphabet combination lock representing password security
An 8-character password can be cracked in seconds to hours, depending on its complexity. Image: Gino Crescoli

What to Do

Some experts recommend you come up with five random words.

We’ll choose, just for example:






Put them together to make a 32-character password, servingsweetcrustymustard pretzel, that would take two octillion years to crack, according to

Having trouble? You can use a random word generator to come up with those random words, if that works best for you.

Some experts recommend you use a passphrase, like, “Takemetothegrocerystore” — a 23-character password — so you can remember more easily.

Get the %$*&@?! Out

In the past, some experts advised people to mix in capitals, special characters and numbers, too.

That could turn:




But now the National Institute of Standards and Technology has finalized its latest guidelines for passwords, with some new instructions:

—Companies should not make people add in complexity, like special characters and numbers. 

—Companies should not make people change their passwords regularly, but only if there’s evidence of a problem.

That means you don’t need to add in the %$*&@?! anymore!

However, many sites and companies have not caught up with the new guidelines and still require this complexity.

So, you may need to add those capital letters, numbers and special characters in for some passwords for now.

How Do You Remember Them All?

The answer — you don’t.

Store your passwords in a password manager so you don’t have to remember them.

Now, Doug can stay secure without losing his mind — or his lunch.


See more answers from Archer News:

What is a honeypot?

What is Shodan?

What is ICS?

What is a DDoS?


Main image: Giraffe. Image: Melanie van de Sande

Leave a Reply