What is Password Complexity?

Password complexity measures how resistant a password is to guessing or cracking.

The term describes both the actual strength of a password and the rules organizations use to enforce stronger password choices—requirements like minimum length, special characters, numbers, and mixed case.

The math behind password complexity is straightforward: more possible combinations mean more time for an attacker to try them all. A six-character password using only lowercase letters offers about 308 million combinations. Adding uppercase letters, numbers, and symbols to an eight-character password pushes that to over 6 quadrillion combinations. That difference matters when facing brute-force attacks that systematically try every possibility.

But complexity rules often backfire. When forced to include special characters and numbers in specific positions, people create predictable patterns—"Password1!" being the canonical example. They also write down complex passwords, save them in insecure files, or reuse them across sites. Research from NIST and other security organizations shows that length matters far more than character variety, leading to recommendations favoring passphrases over complex but shorter passwords. A memorable phrase like "coffee-bicycle-thunder-mountain" resists cracking better than "P@ssw0rd!" while being easier to remember and type correctly.

Password complexity requirements emerged in the 1980s and 1990s as computing systems moved from physical security to authentication-based access control. Early guidelines from defense and financial sectors established rules about character types, length, and regular changes. These made intuitive sense at the time—varied character sets mathematically increased the work an attacker would need to do.

The approach became formalized in widely-adopted standards like those from NIST and various compliance frameworks. For decades, security professionals treated complexity rules as fundamental best practice, even as user complaints mounted and help desk password resets consumed increasing resources.

The turning point came in the 2010s as researchers accumulated evidence that complexity rules didn't deliver the security benefits assumed. Bill Burr, who wrote NIST's original password guidelines in 2003, publicly stated in 2017 that he regretted the advice. His revised thinking, along with growing data about how people actually create and manage passwords, led NIST to reverse many traditional recommendations. The 2017 guidelines explicitly discourage arbitrary complexity rules and regular password changes without cause.

Password security remains foundational despite decades of "passwords are dead" predictions. Even organizations adopting passwordless authentication keep passwords as fallback methods. The complexity question matters because bad policies actively harm security by encouraging predictable patterns and poor password hygiene.

Modern threats have shifted the complexity calculus. Attackers rarely brute-force login pages directly—rate limiting stops that. Instead, they use credential stuffing with passwords stolen from breached databases, target password reset mechanisms, or use phishing to capture credentials directly. Against these threats, complexity rules provide little protection while annoying users and consuming security team resources on password policy enforcement and reset workflows.

The evidence for length-based approaches is strong. Organizations that shifted from complex 8-character requirements to simpler 15-character passphrases typically see both improved security metrics and reduced support burden. Yet many compliance frameworks and security policies still mandate outdated complexity rules, forcing organizations to choose between compliance and effective security.

Plurilock's identity and access management modernization services help organizations move past ineffective password policies toward authentication approaches that actually strengthen security.

We assess your current authentication requirements, identify where complexity rules create risk rather than mitigating it, and design practical migration paths to stronger controls like passphrase policies, multi-factor authentication, and risk-based authentication.

Our government and enterprise experience means we navigate compliance requirements while improving actual security posture. Learn more about our identity and access management services.