Password Length versus Complexity and Multi-Factor Authentication


Password security is vital to protecting our online identity and personal information.  With the increasing number of data breaches, cyber-attacks, and identity theft, having a strong and secure password has become more critical than ever.  But what makes a password strong and secure?    Is it length or complexity?  What about Multi-Factor Authentication (MFA)? 

Length vs. Complexity

Regarding password security, the length and complexity are two important factors.  Length refers to the number of characters in a password, while complexity refers to the types of characters used.  The longer and more complex a password is, the harder it is for an attacker to crack or guess.

Password Length

Password length is the most crucial factor in password security.  The longer the password, the harder it is to crack.  A long password makes it exponentially harder for attackers to use a brute-force attack, which involves trying every possible combination of characters until the correct password is cracked.  

For example, a password eight characters long with lowercase letters, uppercase letters, and numbers has 62 possible characters per position.  This means that there are 218,340,105,584,896 possible combinations.  However, if the password is 12 characters long with the same character set, there are 3.22626676 × 10¹⁷ possible combinations.  As we can see, increasing the password length significantly increases the number of possible combinations, making it more difficult for attackers to crack.

Password Complexity

Password complexity refers to the types of characters used in a password.  A complex password includes a combination of uppercase letters, lowercase letters, numbers, and symbols.  Using a complex password makes it harder for attackers to use dictionary attacks, which involve using a list of commonly used passwords to try and guess a password.

For example, if your password is "password123," attackers can easily guess it using dictionary attacks.  However, if your password is "P@ssW0rd123!", it is much harder to guess as it contains a combination of uppercase letters, lowercase letters, numbers, and symbols.

Combining Length and Complexity

Ideally, passwords should be long and complex.  However, the most important password factor is length because adding additional characters to the password makes it exponentially more difficult to crack.  We suggest a password length of longer than 15 characters. 

Multi-Factor Authentication

However, passwords, regardless of the complexity and length, are not good enough anymore.  Hackers have developed server clusters that can guess 348 billion passwords a second.   Refer to for more information.  This article is over ten years old.  If you apply Moore's Law (compute power doubles every 24 months) to the cluster, what used to take five servers in 2012 should take only one server in 2023.

As you know, MFA sends you an additional code via a text/email or an App to verify your identity.  With MFA, you're effectively changing your password whenever you log in.  We recommend using MFA every time you log into a computer, whether you're working locally or remotely.


In conclusion, password length and complexity are important factors in creating a strong and secure password.  A long password with a complex combination of characters makes it harder for attackers to crack or guess.  However, passwords are not good enough anymore.  We suggest using MFA every time you log in.  If you need help with your password policy or implementing MFA, send an email to

CybersecurityIt maintenancePassword

Get updated on the latest Information Technology news, Cybersecurity, Information Technology Trends, and recent real-world troubleshooting experiences.