Tuta Survey Results: Only about half the users use passwords that are long enough.

At Tuta our focus is to keep our users' data secure with quantum-safe encryption. To achieve maximum security, the importance of strong, secure passwords that are long enough cannot be overstated. Passwords are the first line of defense to make sure that no unauthorized access can bring harm to your data or yourself. While factors like complexity and unpredictability matter, experts emphasize that length is a critical element in ensuring password security. But do people today know the perfect password length?

What security experts say

Cybersecurity experts consistently advocate for longer passwords as a key component of robust security. “Password length significantly increases the time and computational resources needed to crack it,” says Bruce Schneier, a renowned cryptographer and security expert. “A longer password exponentially raises the difficulty for brute force attacks, making it a crucial aspect of password strength.”

The U.S. National Institute of Standards and Technology (NIST) has in the past recommended a minimum length of 12 characters for secure passwords, highlighting that the optimal minimum password length is between 14 and 16 characters and that longer passwords are better and more resilient against modern cracking techniques, including advanced targeted attacks, for instance by state actors or secret services, that are capable of using powerful hardware or even quantum computing. With the increase of computational power, passwords also need to increase in length to withhold attacks.

Insights from the Tuta Mail user survey

We at Tuta Mail focus on state-of-the art security and have already integrated quantum-safe encryption into our email and calendar services. In Tuta the user’s private key is secured with their password so choosing a long and strong password is even more important. Thus, we conducted a survey among 2,500 users to better understand how much people know about password security.

Länge der Passwörter der Tuta-Benutzer Password length of Tuta users: How long is your average password? It is … characters long.

Given the fact, that Tuta users do not represent the average internet user, but are very tech-savvy and interested in security, the results are shocking:

16% generally use passwords of up to 10 characters.
32% use passwords with a length of 11–15 characters.
31% use 16 to 20 characters for their passwords to provide a strong level of security.
21% prefer passwords longer than 20 characters for maximum protection.

It’s surprising – even shocking – to see that even though Tuta users know so much about security still 16% choose a password of up to 10 characters only (which is not secure enough!) and 32% settle for a password between 11-15 characters - even though longer passwords would definitely be better, particularly with the rise of quantum computers.

We have to keep in mind that the average Tuta user knows a lot more about online security than the average internet user. For instance, the same survey also showed that 90% of users know how to encrypt an email end-to-end with Tuta Mail, and 43% are proficient in using PGP encryption, a number that we would definitely not reach had we put these questions to the general public.

Despite this high level of digital knowledge, 34% of Tuta users use a password of 14 characters or fewer, even for private accounts like their encrypted mailbox.

This shows we still have a long way to go to educate people on best security practices online.

Why password length matters

The length of a password directly correlates with the number of possible combinations a malicious actor must try to guess it. For instance:

A 10-character password using a mix of uppercase, lowercase, numbers, and symbols offers around 83 sextillion combinations.
A 16-character password expands this to over 10 octillion combinations, a massive leap in difficulty.

Even quantum computers, which are expected to pose significant challenges to traditional encryption, will still find long passwords with unpredictable structures challenging to crack. Since we at Tuta already offer quantum-safe encryption for emails and calendars, it is now even more important for all Tuta users to switch to secure and long password.

Make your password 16 characters or longer

Das Diagramm zur Passwortstärke zeigt die optimale Länge, die von NIST und CISA im Jahr 2024 empfohlen wird.. Password strength chart showing the optimal length recommended by NIST and CISA in 2024.

While security experts suggest at least 12 characters for a good password length, passwords of 16 -20 characters or more are ideal for highly sensitive accounts. America’s Cyber Defence Agency (CISA) recommends:

“At least 16 characters - longer is stronger!”

The US National Institute of Standards and Technology (NIST) has updated their password length recommendations in 2024 and states:

“Password length is a primary factor in characterizing password strength.”

In 2024, NIST published a new guideline for online services in regard to password requirements to make these more secure. Similar to CISA’s recommendation of 16 characters for the ideal password length, NIST states that a secure password SHOULD:

“be a minimum of 15 characters in length.”

Given the new and increased password length, previous tips about usage of special characters and not using dictionary words do not weigh as heavy as with shorter passwords. In general, security experts say, the longer, the better. But if you want to aim for the perfect password, there’s no harm in following these recommendations as well:

Uppercase and lowercase letters.
Numbers and special symbols.
Randomness: It’s important to avoid predictable patterns, dictionary words, or personal information.

To balance security and usability, consider using passphrases: a series of random words strung together (e.g., ” SolarMiles50>LunarMeters51!”) which are easy to remember but difficult to guess.

These recommendations by NIST also need to be mirrored by online services that have to update their password requirements, and – most importantly – need to allow longer passwords as many services still limit the number of characters that users can enter when creating passwords. Tuta Mail, for instance, asks for a password length of at least 10 characters, but allows unlimited password lengths. In addition, Tuta offers a password generator upon sign-up that already incorporates NIST’s guidelines by generating long passphrases with randomly selected words so that the password is long enough to achieve optimal strength.

We explain here in more detail how to create a strong password.

Lessons from the Tuta survey

The survey results reveal a sophisticated understanding of security among Tuta users but also highlight room for improvement. While 52% of users aim for passwords longer than 15 characters, 16% still consider passwords of 10 characters or fewer sufficient, which leaves accounts vulnerable.

As the users of the quantum-safe email provider Tuta Mail are more knowledgeable than the average internet user, it is shocking that 16% use passwords with only 10 characters or even less. This begs the question of how many online accounts are vulnerable to brute-force attacks. In short, it must be a lot.

Password length is one of the most effective and straightforward ways to improve online security. With the growing threat of cyberattacks - and the looming threat of quantum computing - using long and complex passwords is a must.

The results of Tuta’s survey highlight the need to educate people better on optimal password length, to encourage them to use password managers, as well as random password generators. In addition, important accounts must be secured with two-factor authentication, best with hardware U2F keys.

Let’s work together for a more private Internet and better protection of your data!