Password Policy: Length vs Complexity

Password Policy: Length vs Complexity -- What NIST Actually Recommends

NIST SP 800-63B (updated 2024) flipped decades of password advice: stop forcing complexity rules, start requiring length. Here is why, with the math to prove it.

The Entropy Math

Entropy measures how hard a password is to brute-force. The formula is log2(charset_size ^ length).

A 16-character lowercase password is 8 million times harder to crack than an 8-character "complex" one. Length wins.

What NIST SP 800-63B Says

Why Complexity Rules Backfire

When you force P@ssw0rd! patterns, users do exactly that -- predictable substitutions that cracking tools exploit first. Dictionary attacks with leet-speak rules crack Tr0ub4dor&3 in seconds. Meanwhile, correct horse battery staple (4 random words, ~44 bits from a 2048-word list, or pick 5-6 words for 55-66 bits) is both stronger and memorable.

Practical Implementation

# Pseudocode for NIST-aligned validation
def validate_password(password: str, blocklist: set) -> bool:
    if len(password) < 12:
        return False  # enforce minimum length
    if password.lower() in blocklist:
        return False  # reject known-breached passwords
    return True  # no complexity rules needed

Use a password manager to generate 16-20 character random passwords for every account. Try the Password Generator to create high-entropy passwords instantly -- set length to 16+ and skip the complexity headache.

Key Takeaway

Update your org's password policy: minimum 12 characters, blocklist check, no forced rotation, no complexity rules. You will get stronger security and fewer helpdesk tickets.

Related