Password complexity is a measure of how difficult a password is to guess.
In some cases, the term is also used to refer to requirements for password selection that are designed to increase password complexity in the interest of better security.
Password complexity is important because guessed passwords are a common avenue for attack, and thus, for data breaches. When passwords can be guessed, individuals other than the owner of an account or resource are able to access that account or resource without permission.
Password complexity has become more important in recent years because of the rise of so-called "brute force" attacks, in which computer software is used to try to guess a password, often by trying thousands or even millions of combinations of common words, names, and already known passwords from previous data breaches.
Password complexity guidelines often require users to create passwords according to particular rules—for example, the inclusion of a minimum number of special characters, numbers, lowercase and capital letters, and so on. These requirements, however, often have the effect of making passwords very difficult for users to remember and enter, which may have the paradoxical effect of reducing security as users seek to find ways to remember their passwords—for example, by writing them down or saving them in a convenient place.
The US National Institute for Standards and Technology (NIST) has determined most password complexity guidelines to be outdated for this reason, and does not endorse most password complexity requirements. Instead, many experts now recommend the use of passphrases—very long passwords that are easier for users to remember, such as "YellowBoatCubumberNevadaIceCream" or "SevenSharkFitnessFandom" for example.
By virtue of their length, passphrases remain difficult to "brute force," but by avoiding the most onerous complexity requirements, passphrases enable users to remember passwords without storing and retrieving them in insecure ways.