Did you know that there are decades of difference between a 12-character password and a 14-character password?

Let’s assume that the ASCII code serves as the basis from which passwords are typically selected. In this context, the term “printable characters” is usually used.

A quick explanation:
ASCIIstands forAmericanStandardCodeforInformationInterchange.
It is acharacter encoding—that is, a table that assigns anumberto each character (letter, number, symbol, etc.) so that computers can process them.

When people talk about “95 possible ASCII characters,” they are referring specifically to theseprintable characters—because only those can be meaningfully used in passwords.
The other 33 control characters are intended for computer control, not for text or passwords.

This results in a staggering^9,512 possible combinations for a 12-character password or^9,414 for a 14-character one. Even a world chess champion would break a sweat trying to figure that out. However, our threats aren’t world chess champions, but rather high-performance graphics cards and CPUs capable of calculating and testing every possible password combination in milliseconds. This method is called a brute-force attack.

So what does this mean for my password security?

If an attacker checks1 billion(^10⁹) combinations per second (a very fast offline attack):

• Averagetime* to a hit with 12 characters: approx.8.57 million years
• For 14 characters: approx. 77.3 billion years

Note: These are rough estimates—actual times depend heavily onhow the passwordisstoredand whether words or simple patterns were used.

So it quickly becomes clear that the length of the password makes a significant difference.

Therefore, I recommend choosing passphrases of at least 14 characters whenever possible and, ideally, having them generated by a password manager.

What does a passphrase like that look like?

A passphrase is essentially a random string of characters consisting of words, special characters, and numbers, and is similar to a sentence that’s easy to remember. A classic example would be (please don’t use this!):

In 2025, I'll be walking my dog, and what about you? = I2025gimmHG&d?

While the individual characters are difficult to remember, the phrase is easier to memorize. You simply need to enter the first letters, numbers, and characters in order. Keep the following in mind:

• No known quotes or lines from books or songs (those are listed in the attack lists).
• No personal information or logical patterns (e.g., “MyDogIsBello2025”).
• I preferrandom or unusually combined words.

Conclusion

My clear recommendation here would be to use a password manager that is initially secured with a passphrase and two-factor authentication (e.g., Apple Password Manager with Face ID) and to have it generate generic passwords for all other applications, each with a minimum length of 14 characters. Since you won’t be able to remember these anyway, it’s best to go straight to 16 characters or more.

Modern applications and operating systems use a logout policy to protect themselves; under this policy, the system or application determines whether a login attempt is a simple human typo or a systematic "trial-and-error" attempt, and locks the account for a certain period of time. Ask your administrator if this is the case for your system.

Two-factor authentication (2FA) is essential for me, since potential breaches can compromise even the most complex passphrases, and a new threat from quantum computing is on the horizon. To check your password or see if you’ve been affected by a data breach, I recommend the website: https://haveibeenpwned.com

*AI Note: Calculation example generated using ChatGPT.