The history of password policy is largely a history of misplaced priorities. Complexity requirements — uppercase, lowercase, number, symbol — became standard because they appeared to increase entropy. In practice, they increased friction while providing limited security, because they were applied to human-chosen passwords where the theoretical entropy was never achieved. Length requirements, applied to randomly generated credentials, provide exactly the entropy promised. Understanding why explains the shift from complexity to length in NIST, NCSC, and most major security frameworks from 2017 onwards.
The Complexity Myth
A password satisfying typical complexity requirements (8+ chars, upper, lower, digit, symbol) from a human-chosen base word has approximately 52 theoretical bits of entropy. In practice, the real entropy is far lower — because humans apply complexity rules predictably. Research by Weir et al. (2010) demonstrated that users facing complexity requirements produce highly predictable patterns that reduce cracking time by orders of magnitude compared to uniformly random selection.
NIST SP 800-63B (2017) concluded: "Composition rules are no longer recommended." The NCSC echoed this in 2016 and reiterated it in every subsequent update. The fundamental insight: complexity rules applied to human-chosen passwords provide false confidence without proportionate security benefit.
What Length Actually Provides
Length, applied to randomly generated credentials, provides exactly the entropy it promises — because the character or word positions are selected uniformly at random from the available set. Every additional character in a random password adds the same entropy regardless of what came before. The multiplier is precise and reliable.
| Length / Words | Entropy | Time to crack at 10B/sec |
|---|---|---|
| 8 random chars | 52.4 bits | ~13 hours |
| 12 random chars | 78.7 bits | ~9.6 million years |
| 3 random words | 38.7 bits | ~7 minutes |
| 4 random words | 51.6 bits | ~3.6 days |
| 5 random words | 64.5 bits | ~2,900 years |
| 6 random words | 77.4 bits | ~2.2 million years |
The Practical Conclusion
For any memorisable credential: 5 words is the minimum for strong security; 6 words for encryption keys and master passwords. For stored credentials (in a password manager): 20+ random characters is optimal. In both cases, the answer is "longer" — not "more complex". The Passphrase Maker defaults to 4 words and shows the entropy calculation for any configuration, making the security implications of each choice visible at generation time.