BreachExpress

Cybersecurity, explained for the rest of us.

Passwords & Auth

The Math of Why Long Passwords Beat Complex Ones

Margot 'Magic' Thorne@magicthorneMay 2, 202611 min read
Visual comparison showing entropy calculations for short complex password versus long simple password

You've been told to make passwords complex. Add numbers. Throw in symbols. Capitalize random letters. Mix it all together until you get something like P@ssw0rd! and call it secure.

That advice is outdated, and the math proves it. A longer password made of random words beats a shorter password with symbols, numbers, and capitals. The difference is not close. The gap is exponential.

Here's the entropy calculation that explains why, what attackers actually do when they try to crack passwords, and the numbers that settle this question permanently.

What entropy means in password terms

Entropy measures unpredictability. In password context, entropy is the number of guesses an attacker needs to try before they find your password. Higher entropy means more possible combinations, which means more time required to crack.

The formula is straightforward. Entropy equals the number of possible characters raised to the power of password length. If your password uses lowercase letters only (26 options per character) and is 8 characters long, the total number of possible passwords is 26^8, which is around 208 billion combinations.

That sounds like a lot. It is not.

A modern laptop with a decent GPU can test billions of password guesses per second under the right conditions. If an attacker has the hashed password file from a breach (which happens constantly), they can run offline attacks without rate limits. No login page slowing them down. No account lockout after three tries. Just raw computational power grinding through every possible combination.

Here's the problem with P@ssw0rd!. It's 10 characters. It uses uppercase, lowercase, numbers, and symbols. That gives you a character set of around 95 possible characters per position (26 lowercase + 26 uppercase + 10 digits + 33 symbols). So the entropy is 95^10, which is roughly 60 quadrillion combinations.

Sounds better, right? Now compare that to a passphrase like correct horse battery staple. Four random common words, all lowercase, no symbols. 28 characters total. If we treat each character as coming from a 26-letter alphabet, that's 26^28, which is around 200 octillion combinations.

The difference between 60 quadrillion and 200 octillion is not a rounding error. It's the difference between an attacker cracking your password in hours versus centuries.

How attackers actually crack passwords

Attackers do not start by guessing random strings. They use dictionaries, common patterns, and leaked password databases. They know you probably started with a word, then added a number at the end, then capitalized the first letter, then replaced an o with a 0 or an a with an @.

Security researchers call this a dictionary attack. The attacker loads a list of common passwords, common words, and common patterns, then tests variations. Password, Password1, Password!, P@ssword, P@ssw0rd, P@ssw0rd!, and so on. If your password follows a predictable pattern, it gets cracked early in the process, long before the attacker has to brute-force every possible combination.

NIST's Digital Identity Guidelines explicitly recommend against complexity requirements for this reason. Forcing people to add symbols and numbers does not increase entropy as much as you'd think, because people follow predictable patterns when they comply. The substitution of @ for a or 0 for o adds almost nothing. Attackers account for it.

Length, on the other hand, scales exponentially. Every additional character multiplies the number of possible combinations. A 16-character password has 256 times more entropy than an 8-character password using the same character set. A 20-character password has 65,536 times more entropy than an 8-character password.

Attackers know this too. That's why they focus on short passwords first. If your password is 8 characters or fewer, you are in the high-priority target group, regardless of how many symbols you crammed in.

The diceware method and why random words work

Random words defeat dictionary attacks because the attacker has to guess the combination, not just the words. If you use four random words from a list of 7,776 possible words (the standard EFF Diceware list), the number of possible four-word passphrases is 7,776^4, which is around 3.6 trillion combinations.

That's still not as strong as a 16-character random string, but it's strong enough to resist offline cracking for a meaningful amount of time, and it's vastly easier to remember than K8#mQ2$pL9@vXz.

The key word is random. If you pick four words that form a sentence or relate to each other, you've reduced the entropy. "I love my cat" is not random. "Stapler river flannel comet" is random.

In Stranger Things, when the kids are trying to guess the combination to the locked door, they start with meaningful numbers (birthdates, addresses, significant dates). The combination that works is random. If it had been Jonathan's birthday, they would have guessed it in three tries. Random defeats pattern-based attacks.

The Diceware method uses physical dice to generate truly random word selections. You roll five dice, record the numbers, look up the corresponding word in the list, and repeat until you have four or five words. No human bias. No subconscious preference for words you like. Just entropy.

If rolling dice feels excessive, a good password manager will generate random passphrases for you. NordPass can create multi-word passphrases and store them so you don't have to remember them for every account. We earn a commission on purchases through this link, at no extra cost to you.

Why complexity requirements make passwords weaker

Complexity requirements sound like security. "Your password must contain at least one uppercase letter, one number, and one symbol." Every website does this. It feels official.

It makes passwords weaker.

Here's why. When you force people to add a symbol, they add it at the end. When you force them to add a number, they add 1 or the current year. When you force them to capitalize, they capitalize the first letter. These patterns are so common that attackers build them into their cracking tools as default variations.

Research from security professionals consistently shows that complexity requirements lead to predictable passwords. People do the minimum to satisfy the rule. If the rule says "one symbol," they add ! at the end. If the rule says "one number," they add 1. The resulting password has marginally more entropy than the base word, but far less than a longer password without the forced complexity.

The other problem is memorability. P@ssw0rd!2026 is harder to remember than correct horse battery staple, but it's also weaker. The added cognitive load does not buy you security. It buys you password reuse, because people can't remember twelve different complex passwords, so they use the same one everywhere.

Password reuse is the actual threat. If you use P@ssw0rd!2026 on twenty sites and one of those sites gets breached, attackers now have your password for all twenty. Credential stuffing attacks work because people reuse passwords. Length does not fix reuse, but it does make each individual password harder to crack, which buys you time to change passwords after a breach.

NIST updated its guidance in recent years to remove complexity requirements and focus on length and uniqueness. The new recommendation is simple: make it long, make it unique, and check it against known breach databases. No forced symbols. No mandatory capitals. Just length and randomness.

The cracking timeline for different password lengths

Let's put numbers on this. I'm going to estimate cracking times for different password configurations, assuming an attacker with a decent GPU running offline attacks on a hashed password file. These are ballpark figures, but they illustrate the point.

8 characters, lowercase only (26^8): Around 200 billion combinations. A modern GPU can crack this in seconds to minutes, depending on the hashing algorithm.

8 characters, mixed case and numbers (62^8): Around 218 trillion combinations. Cracked in hours to days.

8 characters, mixed case, numbers, and symbols (95^8): Around 6.6 quadrillion combinations. Cracked in days to weeks.

12 characters, lowercase only (26^12): Around 95 quadrillion combinations. Cracked in weeks to months.

16 characters, lowercase only (26^16): Around 43 sextillion combinations. Cracked in centuries, assuming current hardware.

16 characters, mixed case, numbers, and symbols (95^16): Around 44 undecillion combinations. Cracked in millennia, give or take.

These estimates assume the password is truly random. If it's based on a dictionary word with predictable substitutions, the cracking time drops to seconds, regardless of length. P@ssw0rd!2026 is not random. It's a pattern. Attackers crack it early.

The takeaway: 16 characters of random lowercase letters is stronger than 8 characters of mixed complexity. Length scales faster than character set size.

What this means for your actual passwords

You cannot remember 16-character random strings for every account. Nobody can. That's why password managers exist. The manager remembers the random strings. You remember one strong master password.

Your master password should be long. I'd recommend at least five random words from a Diceware list, which gives you around 20-25 characters and enough entropy to resist offline cracking for years. Write it down and store it somewhere physically secure if you need to. Security professionals have been saying this for years: a strong password written on paper in your desk drawer is more secure than a weak password you remember and reuse across twenty sites.

For every other account, let the password manager generate a random string. 16 characters minimum. Use the full character set if the site allows it, but prioritize length over complexity. A 20-character lowercase password is stronger than a 12-character password with symbols.

If you're in a situation where you have to remember a password without a manager (maybe a device unlock code, or a master password for the manager itself), use random words. Four words minimum. Five is better. Six if you can manage it. Do not use a sentence. Do not use words that relate to each other. Roll dice or use a random generator.

Why sites still enforce complexity requirements

If length is better than complexity, why do so many sites still require symbols and numbers?

Legacy policy. Compliance checkboxes. Institutional inertia. The same reasons any outdated practice persists in large organizations.

CISA's password guidance now emphasizes length and uniqueness over complexity. The FTC recommends long passwords and password managers. NIST removed complexity requirements from its official guidelines years ago. But individual companies move slowly. Compliance frameworks move slower. Internal policies written in 2010 stay on the books until someone with authority rewrites them.

Some sites also conflate "difficult for humans to guess" with "difficult for computers to crack." These are not the same thing. P@ssw0rd! is difficult for a human to guess if they don't know you. It is trivial for a computer to crack because it follows a common pattern. correct horse battery staple is easy for a human to guess if they see it written down, but difficult for a computer to crack because it's 28 characters and the word combination is random.

The other issue is user behavior. Sites worry that if they don't enforce complexity, users will pick password or 12345678. That's a real concern. But the solution is not to force symbols. The solution is to check passwords against breach databases and reject any password that appears in known lists. NIST recommends this approach. It works better than complexity requirements.

The role of hashing and salting in cracking time

When a site stores your password, they should not store it in plain text. They should hash it. A hash function takes your password and runs it through a one-way mathematical process that produces a fixed-length string. The site stores the hash, not the password.

When you log in, the site hashes what you typed and compares it to the stored hash. If they match, you're in. If an attacker steals the database, they get hashes, not passwords. They have to crack the hashes to get the passwords.

Cracking a hash means guessing passwords, hashing each guess, and checking if the result matches the stolen hash. This is why offline attacks are so dangerous. The attacker can guess as fast as their hardware allows. No rate limiting. No account lockout.

The speed of cracking depends on the hashing algorithm. Some algorithms (like MD5 or SHA-1) are fast, which is bad for defense. A GPU can compute billions of MD5 hashes per second. Other algorithms (like bcrypt, scrypt, or Argon2) are deliberately slow, which is good for defense. They limit how many guesses per second an attacker can try.

Salting adds randomness to the hash. A salt is a random string added to your password before hashing. Two users with the same password get different hashes because they get different salts. This defeats precomputed hash tables (rainbow tables) and forces attackers to crack each password individually.

Even with strong hashing and salting, a short password is still weak. If your password is 8 characters, an attacker can crack it in days or weeks, even with bcrypt. If your password is 16 characters, cracking it takes years or centuries, even with fast hashing.

The site's hashing choice is not under your control. Your password length is. Assume the worst-case hashing (fast algorithm, no salt) and make your password long enough to survive it.

Passkeys and the future of authentication

Passwords are not the future. Passkeys are. A passkey is a cryptographic key pair stored on your device. The private key never leaves your device. The public key lives on the server. When you log in, your device proves it has the private key without transmitting it. No password to steal. No password to crack.

CISA has been promoting passkeys as phishing-resistant authentication. The UK's National Cyber Security Centre endorses them. Microsoft has been pushing adoption. Passkeys solve the password problem by eliminating passwords.

But adoption is slow. Most sites still use passwords. You still need a password manager. You still need long, random, unique passwords for every account until passkeys become universal.

In the meantime, the math is clear. Length beats complexity. A 16-character password made of random lowercase letters is stronger than an 8-character password with symbols, numbers, and capitals. A 20-character passphrase made of random words is stronger than a 10-character password that follows every complexity rule.

Make them long. Make them random. Let a password manager handle the randomness and the storage. Save your memory for your master password, and make that one count.

If you need a password manager to handle the long random passwords this article recommends, NordPass generates passphrases, stores them across devices, and monitors breaches. We earn a commission on purchases through this link, at no extra cost to you.

Timeline showing cracking time difference between 8-character and 16-character passwords
→ Filed under
passwordsauthenticationentropypassword-securitypassword-managerscybersecurity-basics
ShareXLinkedInFacebook

Frequently asked questions

Each additional character multiplies the search space exponentially, while adding a new character type only expands the pool by a smaller factor. Going from 8 to 16 lowercase-only characters increases combinations by a factor of around 208 billion. Adding symbols to an 8-character password expands the pool by about 3.6 times. Length scales much better.
On modern GPUs with weak hashing like MD5, attackers can test around 100 billion guesses per second. The hashing algorithm the breached site used matters enormously. bcrypt, scrypt, and Argon2 are deliberately slow and limit attackers to thousands of guesses per second instead of billions, buying enormous additional time.
Because forcing symbols and capital letters creates predictable patterns that attackers test early: capital first, number near the end, symbol at the end. Users satisfying minimum requirements with maximum predictability produce weaker passwords overall. NIST now recommends long, random, never reused, and checked against breach databases.
A five-word Diceware passphrase produces around 28 quadrillion combinations. A six-word passphrase reaches 221 quadrillion. Both vastly exceed the practical cracking capacity for well-resourced attackers, and either passphrase is far easier to memorize than an equivalent-entropy random string of characters.
Compliance frameworks and legacy policy move slowly even after guidance updates. Many organizations enforce outdated requirements because they are written into standards that predate the current research. The practical solution is a password manager that generates long random strings and removes the human memorability problem entirely.

You might also like

Locked vault with recovery key beside it
Passwords & Auth

What to Do When You Forget Your Master Password

Forgot your password manager master password? Here's the step-by-step recovery process, what works, what doesn't, and how to prevent lockout next time.

11 min · Margot 'Magic' Thorne · May 14

Clean dashboard interface showing Microsoft account security settings with checkmarks next to completed review items
Passwords & Auth

Audit Your Microsoft Account: Step-by-Step Security Review

Walk through Microsoft's security settings to review passwords, devices, permissions, and recovery options. Here's what to check, what to change, and why each step matters.

11 min · Margot 'Magic' Thorne · May 12

Split-screen illustration showing a family on one side and an encrypted vault icon on the other, connected by a secure bridge
Passwords & Auth

How to Share Passwords with Family Without Compromising Security

Password sharing within families creates real security risks. Here's the step-by-step method for sharing credentials safely using password managers and shared vaults.

11 min · Margot 'Magic' Thorne · May 10