{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiarnsp74akviuljhfj34umxhwwqgdyszekoqcjvd3fe6cddt6qlfy",
"uri": "at://did:plc:pxff4aqicxmuwb4wvspme6jo/app.bsky.feed.post/3mkxmfiioapd2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiax2g3vrvnnm2zgssboypsakn5x2km4y3no3olmz3mdbcyf2wtaz4"
},
"mimeType": "image/jpeg",
"size": 90601
},
"description": "Have you ever had a debate with a friend and then realized suddenly that you're both saying the same thing from different angles?\n\nThis week, the topic of passwords came up in my life and the \"length matters more than complexity\" advice was once again offered. Every time this topic comes up, I struggle to wrap my head around it. Once I understand it, I realize it's not entirely true. But this week, I realized that there's a deeper lesson underneath it. (Not to sound overly dramatic or anything.)",
"path": "/password-length-vs-complexity-what-it-really-means/",
"publishedAt": "2026-05-03T16:48:50.000Z",
"site": "https://ghost.thenewoil.org",
"tags": [
"focus",
"Top 200 Most Common Passwords",
"over 100",
"The New Oil | Cybersecurity: Password ManagersData is the new oilCybersecurity: Password ManagersNathan Bartram",
"Support Us!",
"update",
"The New Oil",
"https://timcutting.co.uk/tools/password-entropy",
"https://bitwarden.com/password-strength/",
"https://bitwarden.com/password-generator/",
"@zH4SjsTf26s"
],
"textContent": "Have you ever had a debate with a friend and then realized suddenly that you're both saying the same thing from different angles?\n\nThis week, the topic of passwords came up in my life and the \"length matters more than complexity\" advice was once again offered. Every time this topic comes up, I struggle to wrap my head around it. Once I understand it, I realize it's not entirely true. But this week, I realized that there's a deeper lesson underneath it. (Not to sound overly dramatic or anything.)\n\nSo in this blog post, I want to unpack this latest piece of cybersecurity wisdom, dispel some myths around it, and talk about my latest epiphany.\n\n## Password vs Passphrases\n\nLet's start by recapping what makes a \"good\" password.\n\nThe answer depends on who you ask.\n\nSince 2004, the National Institute for Standards and Technology (NIST) recommended that a \"good\" password consist of uppercase and lowercase letters, numbers, and special characters. They didn't specify a minimum length, so other organizations offered recommendations ranging from 8 characters to 15.\n\nLast year, however, NIST updated their guidance, shifting focus onto making passwords long instead of complex. **The official recommendation is now passwords should be at least 12 characters long, and complexity (like mixed case, numbers, and special characters) should not be required.** This new advice being parroted in the privacy community, often as a rebuttal when you try to push the 2004 advice.\n\nBut it's important to look at the reasoning for this change.\n\n**The goal of a \"good\" password - in any form - is basically to prevent cybercriminals from being able to guess it.** In the past, this meant a heavy focus on complexity. Unfortunately, people started creating very predictable and easy to remember passwords that met the letter of this requirement but not the spirit:\n\n * `Pass@123`\n * `P@ssw0rd`\n * `Aa@123456`\n * `Admin!123`\n\n\n\n(These appear in Nord's Top 200 Most Common Passwords, all in the top 20 and all meeting the previous NIST recommendations.)\n\nThis is a problem because there are tools explicitly dedicated to guessing passwords. You can load entire dictionaries into them (such as common password lists like these or literal dictionaries) and they're designed to detect common variations (`@` or `4` instead of `a`, for example). So suddenly, `P@ssw0rd` is an easily-detected variation of `password`, a word that would appear in any dictionary.\n\nAnd this is why NIST is changing tactics: instead of complexity, what if we tell people it's okay to have memorable passwords that are really long?\n\n## But Why Length?\n\nWe measure password strength in _entropy_. This is an objective measure (in _bits_) of how difficult a password is to guess, based on both password length and how many possible characters are available (uppercase letters, lowercase letters, numbers, and special characters). Another way to describe entropy is that it's a measure of how guessable your password is.\n\nAn ideal password under NIST's old guidelines has about 50 bits of entropy on average.\n\n`5ZRcx!GT` = 49 bits\n\nA password under NIST's revised guides, has only slightly more.\n\n`hated dimmer` = 56 bits\n\nStill, those few bits make a difference. The 49-bit password can be cracked in 3 days. The 56 bit would take almost a month.\n\nIt's also worth noting there's a bit of unspoken intention with this new guidance:\n\n 1. NIST hasn't placed any restrictions on numbers or special characters. Users are still free to use them if they want.\n 2. NIST is assuming a minimum length, but not a maximum.\n\n\n\nWhat this means is that NIST is hoping that users won't just pick two random words that happen to be 12 characters long. NIST is hoping users will pick much longer passwords, even if they're not random.\n\nFor example, let's say I'm frustrated by this whole \"pick a password business\" but the IT guy at work informs me of the new rules: no special characters, no numbers, whatever you want, just make it long. So out of frustration I decide my new password is `This Is Really Silly`.\n\n`This Is Really Silly` = 114 bits, centuries to crack.\n\nThat's already orders of magnitude better than my two-word randomly-generated password, let alone my complex 8-character password. (If I get really frustrated and add an exclamation point to the end - `This Is Really Silly!` - the entropy increases to 125 bits.)\n\n## Did I Prove Myself Wrong?\n\nNot really.\n\nFor starters, because entropy is a product of both length and complexity,**a password that is both long _and_ complex will always win.**\n\n`@zH4SjsTf26s` = 76 bits\n\n`mottodiscuss` = 56 bits\n\nBoth of these passwords meet NIST's 12-character minimum, but `mottodiscuss` would take a mere 11 minutes to crack while `@zH4SjsTf26s` would take 2 years.\n\nIn fact, in further tests, the 12-character complex password still has more significantly more entropy compared to simply adding one more character, even if that character is a different character set like a number.\n\n`mottodiscusss` = 61 bits\n\n`mottodiscuss2` = 67 bits\n\n(In my testing, I have to add 3 extra `s`'s to get close to the complex password's entropy, 77 bits.)\n\nNow it should be noted that calculating entropy is complex. For example, both of those 13-character passwords would take 9 hours to crack, exponentially increasing their security over the original 11 minutes.\n\nHowever, I think my overall point is made: the complex password adds significantly more entropy than pure length alone. My `This Is Really Silly` example worked only worked so well because it technically had complexity too: uppercase, lowercase, and special characters. (For context: `thisisreallysilly` = 79 bits, 5 days.)\n\nLength is clearly the \"easy button\" to make passwords more secure, but it's clearly not the only way, nor that immediately simple. **There's nothing wrong with complex passwords that makes long passwords the superior choice**(with one exception, that I'll touch on momentarily).\n\nJonah at Privacy Guides argues that passphrases have a slight edge in case you ever need to type them in, but I could equally argue that complexity has the edge since a data breach exposing the hashes is exponentially more likely. We both make good points, in my opinion, and neither of us is wrong.\n\n## Not Like This Matters\n\nNow let's get down from our ivory towers of academia and math to point out that _this all irrelevant anyways_.\n\nWhether NIST's new guidelines are better or not, the _vast_ , overwhelming majority of websites and services these days still have strict requirements based on years of previous advice.\n\nIt's incredibly rare - nonexistent, for all intents and purposes - to find a website that won't require at least one uppercase, one lowercase, one number, and one special character, all over a certain length.\n\nSome of them require more. Some of them have rules about what special characters you can use. But I have yet to find a website anywhere that simply says \"yeah dawg, go nuts. Use whatever kind of password you want.\" I'm sure they're out there, but there's not a doubt in my mind that they're the minority.\n\nMaybe someday websites will relax their rules. Probably not.\n\n## Except, When it Does Matter...\n\nIt's also worth noting that **the average person has** over 100**online accounts.** NIST's updated password guidelines explicitly highlight password reuse as a serious problem. Of course, very few people can remember hundreds of unique passwords, even if we do use this \"length over complexity\" advice to create more easily-memorable-yet-still-secure passwords. Thankfully NIST still strongly advocates for the use of _password managers_.\n\nThe New Oil | Cybersecurity: Password ManagersData is the new oilCybersecurity: Password ManagersNathan Bartram\n\nLong-time privacy enthusiasts know where this is going: of course you have to be able to remember your master password to get into your password manager (or devices). This is where we often recommend a passphrase - or a sequence of random words instead of a complex password.\n\n❗\n\nA long, random passphrase of at least 4 words is - in terms of entropy - just as secure (if not more) as a \"good,\" complex password but can be easily memorized.\n\n`bottlinghappierdividablecaramel` = 145 bits, centuries\n\nThis passphrase - which meets the bare minimum recommendation - still has significantly more entropy than a 15-character complex passphrase but can be easily memorized. We can further increase the entropy - and make it easier to read - with capitalization.\n\n`BottlingHappierDividableCaramel` = 176 bits, centuries\n\nHell, throw in a number and a symbol if it makes you feel better. Won't hurt.\n\n`Bottling3HappierDividable@Caramel` = 211 bits, centuries\n\nYou could even use a phrase you're familiar with, like the aforementioned `This Is Really Silly!` or `Physics Isn't Real?`, assuming that the service in question allows those special characters (just beware that well-known popular phrases like movie quotes or song lyrics could potentially appear in dictionary attacks).\n\nSo in this case - where it's a password you have to remember, such as device login or password manager master password - it makes sense to focus on length because it has to be both memorable and secure.\n\nHowever, in all other cases, you should be saving your passwords in your password manager, and at that point I would argue complexity should be the emphasis since:\n\n 1. You don't need to remember those passwords.\n 2. You'll probably still need to comply with various complexity requirements.\n 3. We've already proven that if lengths are equal, complexity has the security edge.\n\n\n\n(Just make sure you're still meeting the 12-character minimum.)\n\nis this post bringing you value?\n\nThe New Oil is supported by our audience. If you're getting value out of our work, please consider supporting us.\n\n\n Support Us!\n \n\n## The Full, Ironic Circle\n\nWe're now right back where we started:\n\n * Even if websites did suddenly become NIST-compliant, people would still have too many accounts to remember.\n * When using a password manager, complexity is preferred since memorability isn't an issue.\n * Easy-to-remember but secure (aka \"long\") passphrases are really only necessary for logins people have to remember - such as devices or password manager master passphrases.\n\n\n\nThis is the same advice we already give. NIST's updated advice is an attempt at _harm reduction_ , and personally I applaud that, but it doesn't actually change the actionable advice for the everyday user \"in the trenches.\"\n\n## The Lesson\n\nIn my experience, life is often a pendulum swinging back and forth between extremes.\n\nFor example, there's a lot of junk privacy and security advice floating around out there, such as \"VPNs will make you anonymous and secure.\" Neither of those is true, of course, but often in our attempts to dispel these myths the privacy community overcorrects and goes into \"VPNs are useless\" territory. The truth lies somewhere in the middle: VPNs can offer a layer of protection, but it's grossly overstated and there's other things that offer more bigger and more immediate returns (this is why VPNs are the last page on my website).\n\nYou _can_ go for the longer passwords if you want to. I'm not telling you _not_ to. What I _am_ saying is that the modern blanket \"length is really what matters\" is an oversimplification, lacking nuances, and swings the pendulum too far in reaction to old, outdated advice.\n\nOne podcaster I enjoy often says \"the internet is where nuance goes to die,\" but everyone has a unique threat model and the goal of any privacy or security education should be to give people the knowledge and skills to make the choices that are right _for them_ (hopefully without drowning them in formation overload).\n\nAs a community, I think it's fantastic that we push back on outdated advice. This research even prompted me to update The New Oil this week to reflect all this new information now that NIST has formalized these updates. But we need to be careful not to push too far in the other direction and oversimplify things. The nuance is what will make people ultimately smarter, more privacy/security-literate, and more equipped to pick the right tools and strategies for them.\n\n__Tech changes fast, so be sure to check out our website for all the latest recommendations, tools, services, and more.__\n\n\n The New Oil\n \n\n_Sources_\n\n * Entropy checker: https://timcutting.co.uk/tools/password-entropy\n * Time to crack checker: https://bitwarden.com/password-strength/\n * Password/Passphrase generator: https://bitwarden.com/password-generator/\n\n",
"title": "Password Length vs Complexity & What It Really Means",
"updatedAt": "2026-05-10T15:05:21.586Z"
}