There’s still ample confusion in how to strengthen password policies and to mitigate password-focused attacks. Many admins think that password information retrieved from Windows profiles can be used in pass-the-hash attacks. Any Windows password up to 14 characters in length can be quickly cracked using rainbow tables and clouds of GPU-equipped, superfast computers. There are plenty of defenses you can add to your list of security policies to keep your systems and data safe. For example, increase the minimum length for end-user passwords to 12 characters — and 15 characters for admins.”]
Source: https://www.csoonline.com/article/2624604/five-password-security-myths-dispelled.html