What security experts say

Cybersecurity experts consistently advocate for longer passwords as a key component of robust security. “Password length significantly increases the time and computational resources needed to crack it,” says Bruce Schneier, a renowned cryptographer and security expert. “A longer password exponentially raises the difficulty for brute force attacks, making it a crucial aspect of password strength.”

The U.S. National Institute of Standards and Technology (NIST) has in the past recommended to choose a character minimum password length greater than 14 for secure passwords, but also stating that the absolute minimum password length shall be 8 characters while the optimal password length is between 14 and 16 characters. NIST also highlights that longer passwords are better and more resilient against modern cracking techniques, including advanced targeted attacks, for instance by state actors or secret services, that are capable of using powerful hardware or even quantum computing. With the increase of computational power, passwords also need to increase in length to withstand attacks.

Make your password 16 characters or longer

The following chart on password length and complexity is based on the recommendations by NIST and CISA, published in 2024. With the advance of quantum computers, everyone needs to review their password length to check whether passwords are still strong enough to withstand attacks from quantum computers with much higher computational power than traditional computer systems.

Chart on password security based on length and complexity according to 2024 recommendations by NIST and CISA.

While security experts suggest at least 12 characters for a good minimum password length, passwords of 16-20 characters or more are ideal for highly sensitive accounts. America’s Cyber Defence Agency (CISA) recommends:

“At least 16 characters - longer is stronger!”

The US National Institute of Standards and Technology (NIST) has updated their password length recommendations in 2024 and states:

“Password length is a primary factor in characterizing password strength.”

In 2024, NIST published a new guideline for online services in regard to password requirements to make these more secure. Similar to CISA’s recommendation of 16 characters for the ideal minimum password length, NIST states that a secure password SHOULD:

“be a minimum of 15 characters in length.”

Password length vs complexity

Given the new and increased password length, previous tips about usage of special characters and not using dictionary words do not weigh as heavy as with shorter passwords. In general, security experts say, the longer, the better. But if you want to aim for the perfect password, there’s no harm in following these recommendations as well:

• Uppercase and lowercase letters: KLJDFwerfn
• Numerical characters: 923857
• Special characters: =)§)]€&
• Randomness: It’s important to avoid predictable patterns, dictionary words only, or personal information.

1. Numerical-Only Passwords: A password consisting exclusively of numerical characters (0–9) provides only ten possible options for each character. For example, an eight-character numerical password would have 10 x 10 x 10 × 10 × 10 × 10 × 10 × 10 = 100,000,000 (100 million) possible combinations.

2. Numbers and Lowercase Letters: Adding lowercase letters (a–z) to the mix expands the pool to thirty-six possible options for each character. For an eight-character password using both numbers and lowercase letters, the number of combinations increases dramatically to 36 x 36 x36 × 36 × 36 × 36 × 36 × 36 = 2.8211099e+12 (two trillion, eight hundred and twenty-one billion, one hundred and nine million, nine hundred thousand ) possible combinations.

To balance security and usability, consider using passphrases: a series of random words strung together (e.g., ” Solar-Miles50>Lunar-Meters51!”) which are easy to remember but difficult to guess.

When choosing a secure password, do consider that both length and complexity are important. Pro tipp: If you have difficulty with complexity, just make your password longer, and you’ll get a similar effect in terms of password strength.

Password length vs time to crack

The length of a password is one of the most critical factors in determining how long it takes for a hacker to crack it. Password cracking tools rely on brute force - a method that systematically tries every possible combination of a given password until it finds the correct one. This attack takes time - which, obviously, depends on the minimum length of the password. Actually, the time a brute-force attacker needs to crack a password grows exponentially with each additional character. For example, a password that is six characters long may take minutes or hours to crack, depending on its complexity and the computing power available. However, increasing the length to 12 characters can make the cracking process take years or even centuries, especially when combined with diverse character types like numbers, uppercase and lowercase letters, special characters and symbols.

This exponential increase in time underlines why longer passwords provide stronger protection.

The 2024 recommendations by NIST on best minimum password length and password structure also need to be mirrored by online services that have to update their password requirements, and – most importantly – need to allow longer passwords as many services still limit the number of characters that users can enter when creating passwords. Tuta Mail, on the other hand, asks for a password length of at least 10 characters, but allows unlimited password lengths. In addition, Tuta offers a password generator upon sign-up that already incorporates NIST’s guidelines by generating long passphrases with randomly selected words so that the password is long enough to achieve optimal strength.

We explain here in more detail how to create a strong password.

Why longer passwords are better

The minimum length of a password directly correlates with the number of possible combinations a malicious actor must try to guess it.

For instance:

• A 10-character password using a mix of uppercase, lowercase, numbers, and symbols offers around 83 sextillion combinations.

• A 16-character password expands this to over 10 octillion combinations, a massive leap in difficulty.

Even quantum computers, which are expected to pose significant challenges to traditional encryption, will still find long passwords with unpredictable structures challenging to crack.

Insights from the Tuta Mail user survey

We at Tuta Mail focus on state-of-the art security and have already integrated quantum-safe encryption into our email and calendar services. In Tuta the user’s private key is secured with their password so choosing a long and strong password is even more important. Thus, we conducted a survey among 2,500 users to better understand how much people know about password security.

Password length of Tuta users: How long is your average password? It is … characters long.

Given the fact, that Tuta users do not represent the average internet user, but are very tech-savvy and interested in security, the results are shocking:

• 16% generally use passwords of up to 10 characters.
• 32% use passwords with a length of 11–15 characters.
• 31% use 16 to 20 characters for their passwords to provide a strong level of security.
• 21% prefer passwords longer than 20 characters for maximum protection.

It’s surprising – even shocking – to see that even though Tuta users know so much about security still 16% choose a password of up to 10 characters only (which is not secure enough!) and 32% settle for a password between 11-15 characters - even though longer passwords would definitely be better, particularly with the rise of quantum computers.

We have to keep in mind that the average Tuta user knows a lot more about online security than the average internet user. For instance, the same survey also showed that 90% of users know how to encrypt an email end-to-end with Tuta Mail, and 43% are proficient in using PGP encryption, a number that we would definitely not reach had we put these questions to the general public.

Despite this high level of digital knowledge, 34% of Tuta users use a password of 14 characters or fewer, even for private accounts like their encrypted mailbox.

This shows we still have a long way to go to educate people on best security practices online.

Lessons from the Tuta survey

The survey results reveal a sophisticated understanding of security among Tuta users but also highlight room for improvement. While 52% of users aim for passwords longer than 15 characters, 16% still consider passwords of 10 characters or fewer sufficient, which leaves accounts vulnerable.

As the users of the quantum-safe email provider Tuta Mail are more knowledgeable than the average internet user, it is shocking that 16% use passwords with only 10 characters or even less. This begs the question of how many online accounts are vulnerable to brute-force attacks. In short, it must be a lot.

Password length is one of the most effective and straightforward ways to improve online security. With the growing threat of cyberattacks - and the looming threat of quantum computing - using long and complex passwords is a must.

The results of Tuta’s survey highlight the need to educate people better on optimal minimum password length, to encourage them to use password managers, as well as random password generators. In addition, important accounts must be secured with two-factor authentication, best with hardware U2F keys.

Let’s work together for a more private Internet and better protection of your data!