Why Do Passwords Need At Least 8 Characters?

It seems like every platform has different requirements for passwords.

Login Icon

And the complexity can make it somewhat of a mess when it comes to remembering how to access accounts.

One requirement, however, is pretty consistent: The password needs to be a certain number of characters. The current recommendation from the National Instituate of Standards and Technology (NIST) is a minimum of eight characters.

But why?

Essent Systems Integration Manager Damon Kopp recently led a company training session on passwords and provided some interesting insights along the way — including why eight characters is the standard. Here is some of what we learned.

Passwords Are Ancient

Passwords were used at least as early as the Roman military.

Passwords pre-date the internet, computers, and even electricity. Some light etymological research reveals passwords were used at least as early as the Roman military.

Literally, a password is a word that allows you to pass into a certain area, and it's clear to see how that would be of use in military situations. Passwords are also defined as words that distinguish between friend and foe.

Billions Of Email Addresses Are Compromised

A lot of password breaches are minor, like getting your email scraped onto a marketing list. But many are not.

Almost 6.5 billion email accounts have been compromised in some way, according to web security expert and author Troy Hunt. Hunt runs a website where you can check if your email address has ever been compromised.

A lot of these are minor, like a bot scraping your email address to make a marketing list. But a lot of them are not, especially if the breech includes a password or if the password attached to your email account is not strong.

Don’t Double-Dip Your Passwords

We know — it’s basically impossible to remember your passwords now even without individualizing for every site. But there are tools and stratgies.

It’s a risk to use one password for more than one platform because if someone cracks your password on one platform, now they have your password for multiple platforms.

We know, we know — it’s basically impossible to remember your passwords now even without individualizing for every site. But there are strategies and tools that make it easier.

One strategy is to use a prefix or suffix for each platform. For example, if your regular password is 12345 (we hope not!) then your email password might be 12345-mailbox or your fantasy sports login might be pigskin-12345.

Additionally, LastPass, owned by the GoToMeeting maker Citrix, is a tool for password management. It stores all of your passwords behind one master password, so that you only need to remember the one master password (better make that one password a doozy though!).

You Have To Be A Liar Sometimes

Don’t set up your challenge questions truthfully!

How hard would it be for someone to Google your high school’s mascot?

Challenge questions are those like "What is your mother’s maiden name?” or "What was your high school mascot?” that platforms often ask when you’re trying to reset your password.

Trouble is, the truthful answers to many of those questions are often easy for others to find out. Your social media profile probably already says or infers where you went to high school — how hard would it be for someone to Google your high school’s mascot?

When you’re setting up your account, you’d be safer making up a fake school or saying your friend’s school. The answers to challenge questions shouldn't actually be the correct answer to the question.

Eight Characters Is Just The Start

Hackers use "brute force” algorithms that generate thousands of password guesses per second. The longer the password, the more computing power it takes to generate the right guess.

And now finally back to password length. Why require eight characters?

Hackers run algorithms that try to "brute force” their way into the right password by continuously generating random passwords.

But it takes a certain amount of computer power to continuously generate passwords — we're talking thousands per second. And so every extra character in the password requires exponentially more computer power to crack.

With computer power increasing all the time, the minimum required password length is a moving target that's only going to go up. But for today’s computing power, eight is the minimum number of characters that the NIST recommends.

One of our colleagues in the session drew a chuckle when he asked how long passwords will need to be when quantum computing becomes more widely available.

The bottom line is get ready for longer passwords. The National Institute of Standards and Technology is already recommending passwords as long as 64 characters.