Can you remember the last time you didn’t need to access at least one of your passwords? It’s probably been a while. After all, the average person handles around 168 passwords. With this scale, you might find yourself wondering if you can really prioritize your security or take some leeway to remember how to access your accounts in the first place.

It doesn’t help that the numbers vary across the board—some think you can get away with 6 characters, others go for numbers in the 20s. Let’s settle it once and for all and answer a few pressing questions. At the end of the day, how long should a password be on average, and how should its structure look to keep you safe online?

What’s the recommended minimum password length?

Let’s not beat around the bush—the length of your passwords is one of the key cybersecurity checkpoints you can tick off. The exact number of characters is something of a point of contention.

Our recommendation is to use a random mix of 8 characters (including upper- and lowercase letters, numbers, and special symbols) as the bare minimum for your password; however, the longer you go, the better.

Alternatively, you can choose to use a passphrase—a sequence of words or other text that you can use to authenticate your identity. For example, you can use a line from your favorite movie or book. However, make sure no one knows what that specific phrase is. A unique passphrase is as effective as a highly complex password because the spaces between words count as special characters.

The case for longer passwords

But why does it matter so much how long a password is? To answer this question, we first need to understand one of the biggest threats to password safety—brute-force attacks. Cybercriminals use special software to try millions (even billions, if the computer is powerful enough) of character combinations to find passwords that work. They usually start with every word in a dictionary, so passwords that contain only one or two words are not resilient.

With fewer characters, you can’t create as many secure, randomized combinations to protect your accounts. If you go any shorter than 8 characters, the chances of your passwords getting brute-forced increase. The more personal and work accounts you have, the more variety you need—and a longer password accounts for it.

In NordPass’ 2024 list of the Top 200 Most Common Passwords, the first 10 entries consisted of passwords ranging from 5 to 9 characters. Most were sequences of numbers and lowercase letters based on the keyboard layout—think 123456 or qwerty. Such combinations are easy bait for cybercriminals, who require less than a second to break through and claim the account for themselves.

The problem is not just how short the passwords are but also how frequently they’re reused. If a person comes up with a 6-character password containing only letters and numbers, the hacker can run a program to easily find the matching combination. Then, they can use the password with the related email address and easily obtain all accounts belonging to their victim. Longer passwords with more variety require more guesses to predict, increasing the time required to breach them.

To address the problem of weak passwords, various password policies and guidelines are set in place to help both businesses and individuals manage their personal data better. The National Institute of Standards and Technology (NIST) updated its password security guidelines in 2024, clarifying how the expectations for credential security have shifted. According to the new guidelines, passwords should be up to 64 characters long—a long passphrase can be used in favor of a password—and should only be changed if there’s clear evidence that they’ve been compromised. Passwords should also be generated and stored using a password manager for better security.

Balancing length and complexity

What keeps you safe online and what makes it easy for you to be online in the first place requires a delicate balance. As mentioned earlier, password length plays a key role in its predictability. The fewer characters you use, the less time it takes to crack it. Likewise, the more variety you add, the more time and resources are needed to figure it out.

Passphrases are a great help here. They ensure your credentials are long and complex without the clutter of random characters. If you pick a quote, you’ll probably use at least 4 or 5 words. This automatically racks up the password length, granting it a higher resilience against cyber threats.

You might wonder how resilient passphrases are against brute-force attacks targeting dictionary words. The length of the passphrase is actually an advantage here despite it using words from a known corpus—it increases the guessing difficulty level, and fishing out every word, space, and punctuation mark in that order is resource-intensive, making it more difficult for cybercriminals to detect an exact match.

Now, let’s sprinkle in some complexity. Of the options “password123” and “PAl4p5e*tDgF!3”—the 111th entry in the aforementioned Top 200 list and a completely random keysmash—the former would take under a second to crack, while the latter would need hundreds of years.

The randomized example does not follow an easily detectable pattern and contains every character we’ve mentioned so far—upper- and lowercase letters, numbers, and special symbols. If you took a similar combination and kept adding random characters in random spots, the complexity level would increase. In short, length adds complexity, and complexity is exactly what you want for your credentials.

Tips for creating secure, long passwords

Passphrases are a solid idea for strong credentials. However, some websites and apps don’t recognize spaces as special characters, which makes it harder to use more memorable passwords. How do you come up with really good ones, and how do you make sure you don’t forget them?

One thing you can try is a spin on a passphrase—take the words in a phrase, omit some letters, replace them with special characters, and voila! You’ve got a strong password concept on your hands. For example, let’s take the classic phrase “The quick brown fox jumps over the lazy dog” and turn it into “1.Qui.bro.fo.jum.ove.1.laz.dO.” We’ve replaced “the” with 1, left the first 2 or 3 letters of the other words, capitalized the first and last letters, and finished with a full stop for good measure. The result? A password that would take centuries to breach.

That said, avoid simply taking a word and replacing its letters with numbers, like “0v3r” for “over”—hackers are familiar with such “tricks” and have added them to their brute-force checklist. Instead of following a predictable pattern, get creative—switch random letters with numbers that wouldn’t otherwise match (like a 5 for L instead of the anticipated S) and build a cipher only you know. We’ve got more inspiring ideas you can use to level up your inner password generator in our dedicated article.

If you’re unsure whether your new credential meets the ideal strong password criteria, you can test it using our secure password checker. Don’t worry—we don’t store the passwords you type into this tool to ensure that your data remains secure, whether it’s just an idea or already in use.

The simplest way to sort out your password length troubles and leave the worries of mixing them up behind is to get a tool that does it for you—and NordPass knows how to get it done right. NordPass is an intuitive password manager that keeps all your credentials securely encrypted.

Thanks to its built-in Password Generator, you won’t have to worry about coming up with passwords on your own ever again. You won’t need to remember them either, as the autofill feature will detect your login attempts and input your credentials for you in seconds. In fact, with NordPass, the only password you need to remember is the Master Password to access your vault. Everything else will be handled for you with our browser extension and mobile app.

Reinforce all your accounts with ease and embrace the long password lifestyle with NordPass.

Today, as we see the costs of dealing with hacks and data breaches skyrocket, businesses are increasingly looking to ensure the complete security of their IT infrastructure. Although preventing every attack with 100% certainty is simply impossible, mitigating the risks by following web application security best practices can significantly improve the chances of staying secure. This is why, for many companies, securing web applications is no longer optional—it’s essential. Today, we’ll be looking at common vulnerabilities related to web apps and ways to boost security.

What is web application security?

Web application security comprises strategies, tools, and practices designed to protect web applications from external threats, breaches, and vulnerabilities. It’s not just about responding to attacks. Think of it as more of a proactive approach that integrates security considerations right from the developmental phase, ensuring that every facet of a web app is secure against potential threats.

With the ever-increasing volume of sensitive information being shared online every single moment, the stakes have never been higher. Cyber threats are not static. Hackers adapt and evolve. This dynamic threat landscape demands vigilance and proactive measures, including addressing vulnerable attack points like APIs and securing the entire software supply chain to prevent breaches at every stage of the development lifecycle.

Web application security, therefore, remains a critical concern, ensuring businesses and their users can operate with confidence in the digital world.

What are common web app security vulnerabilities?

While web applications add to the ease of doing business, they also become a part of the potential attack surface area for hackers to target. In most cases, vulnerabilities related to web applications are due to a lax attitude towards best web application security practices. SQL injections, cross-site scripting (XSS), and authentication flaws are the favorite attack vectors that hackers use to exploit web apps. For an in-depth look at web app security risks, please check out our website security guide.

Why is secure web development important?

The 2021 Verizon Data Breach Investigations Report notes that as more businesses continue to migrate their operations to the cloud, attacks on web applications have come to represent 39% of all breaches. The numbers are alarming, and organizations relying on web apps need to realize that ensuring the security of the infrastructure is an essential part of web and software development, which pays off in the long run.

The primary purpose of web app security is to prevent cyberattacks. Suffering a cyber incident often means compromised user accounts, derailed customer trust, damaged brand reputation, loss of sensitive data, loss of revenue, and a whole lot more. A recent IBM report indicates that the average cost of a data breach in 2021 stood at an astounding $4.24 million, which for smaller businesses can threaten their very existence.

At the end of the day, it all comes down to this: if businesses want to thrive in today’s internet-based economy, focus and resources can’t be limited when it comes to security.

Web application security best practices

Effective website security requires all-around effort. It includes such factors as making security a part of development procedures, configuration of the web server, creating password policies, and much more. Here are a few proven ways that you can boost your web application security.

#1: Web application security testing: Maintain standards during web app development

While developing a web application, remember that the old way of developing first and testing later is no longer the way to go. Be sure to place web application security at the top of the priority list during the development phase.

Test the security of your web application by sending different types of inputs to provoke errors and see if the system behaves in unexpected ways. These are what we call “negative tests,” and they can highlight design flaws within the system.

We also highly recommend employing the use of static application security tests (SAST), dynamic application security tests (DAST), and penetration tests (PT) during the development phase. By maintaining security standards during web app development, you will save yourself precious time in the future and have an app designed to withstand a security threat.

#2: Encrypt your data

Web apps and services rely on data and its flow between the server and the end user. Whenever someone uses your web application, they share information that often is sensitive in one way or the other. Data gathered and stored from user activity on your web application should be encrypted to mitigate the risks of a breach. For those who want to have a better understanding of what encryption is, how it works, and why it is so important in today’s digital world, here’s our guide to encryption.

#3: Backup your data

Preventing anything from happening with 100% certainty is not feasible. As we already established, the same applies to cyber threats. This is why it is so important to make regular backups of your data related to your web application.

If you suffer a breach or other sort of hack that relates to data leakage or theft, backups will be crucial in reinstating the functionality of your web app services. Backups will allow you to be back up and running in no time.

#4: Implement HTTPS

SSL technology is used to ensure encrypted data flow between the server and the end users. It is a required prerequisite for any secure web application. Typically SSL encryption is enabled by using HTTPS protocol, which can protect the flow of such sensitive information as credit card numbers, login credentials, and social security numbers. Think of it this way: by using HTTPS for your web applications, you will render data flow to and from your web app incoherent for any potential eavesdroppers. Furthermore, failing to use HTTPS will more than likely result in your users being warned about potentially unsafe websites by commonly used browsers, which is not a great look, especially in the eyes of first-time visitors.

#5: Have a strong password policy in place

Passwords are the first line of defense when it comes to unauthorized access. Use them correctly and your web application’s odds of withstanding an attack increase exponentially. Use them incorrectly and you’re in trouble. It’s important to encourage your users to use passwords the right way, too.

We’ve said it over and over, and we’ll continue to repeat ourselves. It is absolutely crucial to use complex and unique passwords. During the development stage, it is a good idea to adopt a business password manager for internal use. Not only will a password manager such as NordPass create strong passwords for you automatically, but it will ensure that they can be easily accessed and won’t ever be lost. In addition to improving your overall security posture, a password manager will increase your productivity thanks to convenient little features such as autofill and autosave.

On the user side of things, it is critical to implement strong password policies to mitigate possible risks. Make sure that the minimum password length for users is eight characters. Also, requires the use of upper- and lowercase letters and special symbols. While your users may not be thrilled to fulfill these requirements, they will thank you in the long run.

#6: Don’t forget about hosting

It’s common knowledge that a large part of your web application security relies on your hosting service provider and its security practices. Choosing the right host for your web application can be tricky and time-consuming. However, it is important to realize the importance of this decision. Choose a poor provider and face the consequences of poor security or reliability.

A reputable hosting provider, such as Hostinger, has a nice track record security-wise and is praised by its users. In most instances, reliable hosting services will put in the time to update their infrastructure and adhere to the best security practices of the time. The worst mistake that you as a web app developer can make is to choose the cheapest option and disregard other aspects of the service.

#7 Perform a regular web application security audit

The purpose of a web application audit is to review an application’s codebase to determine potential vulnerabilities. Audits can also provide a look at the security of the application’s communication challenges. As you continue to build and update your web application, new vulnerabilities may sneak in without you noticing. This is where regularly performed web application security audits can prevent you from releasing a potentially vulnerable app update and in turn save you a lot of time, frustration, and revenue among other things.

#8 Embrace authentication and Access Control

Authentication functions as a foundational aspect of web app security. It is there to verify and authorize the identity of users. Authentication serves as the first line of defense against unauthorized access. After authentication, access control defines what a user can see and do within the application.

Robust authentication mechanisms, especially multi-factor authentication (MFA), have become essential. Concurrently, access control operates on the principle of least privilege, ensuring users are granted only the permissions necessary for their specific roles. Regularly reviewing and updating these permissions is crucial if you wish to maintain the security integrity of the web app.

#9 Make web application security awareness training a part of your security strategy

When people think about how to protect a web application, they often focus on tools and systems to prevent issues, overlooking the human element—which can be a major vulnerability. Realizing this, discussing web application security with your team and organizing dedicated training sessions becomes essential.

Web application security awareness training is designed to provide the team with the knowledge and skills to identify and respond to security threats and incidents. Such training sessions explore common cyber threats, best practices in web application security, and the importance of adhering to security protocols and requirements.

By fostering a culture of security awareness, you can reduce the risk of breaches resulting from human error or oversight. Regularly updating and refreshing this training ensures that all personnel are aware of the latest threats and mitigation techniques.

#10 Follow secure coding practices

Everything can be done securely or insecurely—and coding is no different, whether it’s for an application, system, or platform. By following secure coding practices, developers can reduce the likelihood of an application will have bugs and vulnerabilities that attackers can later exploit.

So, what are some of these practices? For example, using parameterized queries to prevent SQL injection, implementing secure encryption, avoiding hardcoding sensitive information like passwords, and regularly reviewing code to identify and fix security issues. There are plenty more, of course, and all professional coders should not only be aware of them but also follow them consistently.

#11 Use a web application firewall

If you’re familiar with the concept of a firewall as a middle ground between your device or system and the internet—monitoring and filtering incoming HTTP traffic—then you already have an idea of what a web application firewall (WAF) does. In simple terms, it analyzes incoming requests and blocks suspicious or malicious activity, preventing SQL injections, cross-site scripting (XSS), and other types of attacks to protect your application from potential risks. While it’s not a substitute for other layers of security, a web application firewall is a valuable extra defense mechanism—especially for handling new or unexpected threats.

Bottom line

As web applications become more complex and businesses’ dependency on them grows, application security should be at the top of the priority list for all businesses wishing to succeed in today’s digital economy. Moreover, experts note that the recent increase in web application attacks is only set to grow. Businesses cannot afford a lax attitude towards web application security anymore. However, with a holistic cybersecurity approach that includes following best web application security practices, organizations can significantly lower the threat risk and maintain a secure perimeter.

One such practice is using a robust IT password manager like NordPass, which helps protect access to company resources from unauthorized parties, enforce a strong password policy across the organization, and monitor the dark web for compromised company data. So, if your company is not using a password manager, give NordPass a try and see how it can improve your company’s cybersecurity.