Glossary Term

Password Complexity

Password complexity is a measure of how difficult a password is to guess.

In some cases, the term is also used to refer to requirements for password selection that are designed to increase password complexity in the interest of better security.

Password complexity is important because guessed passwords are a common avenue for attack, and thus, for data breaches. When passwords can be guessed, individuals other than the owner of an account or resource are able to access that account or resource without permission.

Password complexity has become more important in recent years because of the rise of so-called "brute force" attacks, in which computer software is used to try to guess a password, often by trying thousands or even millions of combinations of common words, names, and already known passwords from previous data breaches.

Password complexity guidelines often require users to create passwords according to particular rules—for example, the inclusion of a minimum number of special characters, numbers, lowercase and capital letters, and so on. These requirements, however, often have the effect of making passwords very difficult for users to remember and enter, which may have the paradoxical effect of reducing security as users seek to find ways to remember their passwords—for example, by writing them down or saving them in a convenient place.

The US National Institute for Standards and Technology (NIST) has determined most password complexity guidelines to be outdated for this reason, and does not endorse most password complexity requirements. Instead, many experts now recommend the use of passphrases—very long passwords that are easier for users to remember, such as "YellowBoatCubumberNevadaIceCream" or "SevenSharkFitnessFandom" for example.

By virtue of their length, passphrases remain difficult to "brute force," but by avoiding the most onerous complexity requirements, passphrases enable users to remember passwords without storing and retrieving them in insecure ways.

More About Plurilock


2020 Authentication Guide

Summary of authentication recommendations from major standards bodies, plus Plurilock’s own recommendations.

White Paper: Advanced Authentication

The state of authentication today—and why you need Plurilock products.

Plurilock Quad Chart

Quick, visual summaries of Plurilock value, use cases, architecture, and typical clients.

Behavioral Biometrics Guide

The definitive guide to behavioral biometrics, a core Plurilock technology.

Stay informed. Join our low-volume mailing list for Plurilock and cybersecurity news and updates.


Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.



Contact Plurilock

Have a question or comment? 

Plurilock Lead Capture Block

Welcome to Plurilock!

We’d love to hear about your interest in our products.


Okay, cool.

We'd like to provide you with more info. How can we reach you?

By submitting this form, you agree to receive periodic news, updates, and offers from Plurilock.


Someone from Plurilock will get in touch with you soon.
In the meantime, learn more about our ADAPT and DEFEND products—and be sure to check out our Blog for in-depth cybersecurity coverage.