What's the recommended minimum password length, and why does length matter more than complexity?
At least 12 characters. Length beats complexity because each extra character multiplies the search space.
* Entropy grows linearly with length — length outpaces a bigger charset. *
The math:
- An 8-character password from a 70-char alphabet → 70⁸ ≈ 5.8 × 10¹⁴ combinations
- A 12-character password from the same set → 70¹² ≈ 1.4 × 10²² — about 24 million times larger
- A high-end GPU around 2026 can do on the order of ~100 billion NTLM hashes/second — so the 8-char space falls in ~1 hour, but the 12-char space takes ~4,500 years at the same rate
Why length wins:
Adding one character multiplies the search space by the alphabet size (~70). Adding one type of character (e.g. symbols) only widens the alphabet a bit. So correcthorsebatterystaple (25 lowercase chars) is vastly stronger than Tr0ub4dor&3 (11 chars with all the "complexity").
Visualizer: https://www.security.org/how-secure-is-my-password/ — try comparing 8-char complex vs 16-char passphrase.
Tip: Famous XKCD on this — https://xkcd.com/936/.
Go deeper:
NIST SP 800-63B §5.1.1 — Memorized Secrets — the standards body that mandates length, drops arbitrary complexity rules, and requires breach-list checks.