For decades, information security experts have tried to get people to create stronger passwords by requiring a minimum length (usually eight characters), plus at least one capital letter, one number, and one special character (like @, #, or !). This strategy is now widely considered to be a failure. Many people simply created an obvious variation of their previous password. “Letmein1!” is as easy for a computer to crack as “letmein”, even though it’s longer and more complex.
This goes to show that there are multiple elements that factor into how strong your password is. Length is one of them. In this article, we’ll explain some concepts you should consider when creating a password, as well as some guidelines for how long your password should be.
Ways to crack a password
First, you should understand something about how hackers steal passwords. Bad guys typically begin trying to crack a password by using a dictionary attack. A dictionary attack works by drawing on a massive database of dictionary words, real passwords exposed in previous data breaches, names, as well as common combinations (such as last name + first name + date) and substitutions (like “@” instead of “a”). To get an idea of what kind of data hackers can glean from a password leak, check out this report(new window).
If a dictionary attack fails, the hacker will have to use a brute force attack. This type of attack is much slower because it means the computer will go through every possible combination of characters, one by one. Some computers(new window) can guess hundreds of billions of passwords per second.
Keep in mind, hackers generally are not trying to guess your password at the login page of your online account. Instead, they will usually attempt dictionary or brute force attacks on a database of hashed passwords(new window) stolen from a company’s servers. There are various ways companies can hash passwords to bog down the process for hackers, which can help keep your plaintext password secure. But it’s better to create a strong password yourself rather than place all your trust in the cybersecurity practices of a website(new window).
How to prevent brute force attack
There are two ways to make it more difficult for someone to brute force your password: make your password longer (by using more characters), and make it more complex (by using a greater variety of character types, like numbers and capital letters). Note, however, that length is much more effective than complexity at preventing a brute force attack.
Every additional character in a password increases the length of time it would take a supercomputer to guess your password by an order of magnitude, even if you only use lower-case letters. Adding complexity also helps because it will broaden the set of characters the computer has to check, but not by nearly as much.
There are online calculators(new window) that claim to tell you how long it would take a computer to crack your password. These are not precise because of all the variables involved, such as computing power and the hash used. But they can serve to illustrate a key point about password length: a six-character random-generated password using a mix of character types would take seconds to crack, whereas a 10-character password with only lower-case letters could take several years.
Why a long password isn’t always better
Brute force attacks are not very efficient and can be easily thwarted by merely creating a longer password. That’s why dictionary attacks are a more efficient way to crack passwords. Dictionary attacks take advantage of human weaknesses, like predictability and poor memory. The need to remember passwords leads users to choose simple passwords, which are also easy to guess.
With dictionary attacks, therefore, length can be a misleading measure of password strength. For example, “F3rnand3zJ@nu@ry1983” looks like it could be a very strong password because it contains lots of numbers, capital letters, and special characters. But this password would probably be cracked in a dictionary attack: It’s just a last name, a month, and a year. The algorithm could easily look for predictable character substitutions and capitals.
How long should your password be?
The length of your password primarily depends on whether you’re using a password with random characters or one with a series of words.
If you want to create a strong password using a series of words (a “passphrase”), most info security firms recommend using at least four words that aren’t very common. As more people switch to passphrases, however, hackers will get better at cracking them.
If you’re using a password composed of random characters, about 15 should put it out of reach of modern computing capabilities. However, we don’t recommend using random-character passwords unless you’re using them with a password manager, which will help you generate and store them securely. That way you don’t have to remember them or write them down, and they will be unique.
If you use a password manager, we recommend using a long passphrase as your master password and generating a unique random password for each account, relying on the default settings for length and complexity (usually 20 characters, with a few numbers and special characters).
This article is part of a series we’re publishing on strong passwords. Check back to our blog(new window), follow us on Twitter(new window), or subscribe to our subreddit(new window) to stay in the loop on all our cybersecurity advice.
You can get a free secure email account from Proton Mail.
We also provide a free VPN service(new window) to protect your privacy.