Passwords must be long, very long

What is a secure password?
Why are they required to be “complex”?
Why must we change them regularly?
Why should we never reuse the same password?

These are few of the questions often asked by users.

We look at one aspect of the passwords, their complexity, and how to make them more secure.


You’re registering for an online service and need a new password, which you select with care, following experts’ advice and complying with the requirements of the service. Most probably you will use some pseudo-random sequence of eight elements from three or four sets of characters.

Some figures

I will assume that

  • we can use an alphabet with 26 lowercase letters, 26 uppercase letters, 10 digits and 33 symbols, for a total of 95 possible characters;
  • the service conscientiously hashes the passwords with a good algorithm;
  • the hackers can do an offline attack with one hundred billion guesses per second.

With these assumptions and no additional hints the hackers can crack a password from the 6’704’780’954’517’120 possible combinations, the search space, in just little more than 18 hours. Almost certainly before the service duly notifies you of the data breach.

But hackers have in fact additional hints. For example they know that the service requires both lowercase and uppercase characters. That means they can skip the combinations where only lowercase or only uppercase letters appear. This hint alone reduces the search space by around 15% and gives the hackers about 3 hours of advantage. Additional knowledge and considerations, e.g. skipping all letters and all digits passwords, can give them even more.

So, what?

I’m not saying that the constraints are bad by themselves - we must use as many sets of characters as possible in our passwords to make the number of combinations big. The fact is that knowing which constraints apply make life easier to hackers, and it’s not possible to keep them secret, since the user must know what is required.
Much better would be if we all would randomly pick the characters, without caring of their type - we would make passwords that really occupy the search space for its entirety.

Length to the rescue

Also a constraint to the minimal length of the password helps hackers reduce the search space, since they can skip shorter combinations. Yet I argue that long passwords are the only way to make their life much harder.

Let’s see what happens when we increase the number of characters used in the passwords.
Without removing any constrained and shorter combinations:

  • 9 characters would mean 636’954’190’679’126’495 combinations and more than 2 months to crack.
  • 10 characters would mean 60’510’648’114’517’017’120 combinations and more than 19 years to crack.
  • 11 characters would mean 5’748’511’570’879’116’626’495 combinations and more than 18 centuries to crack.

But if you think this should be enough, consider that a massive attack with one hundred trillion guesses per second would crack the 10 characters long password in about 1 week and the 11 characters one in just little less than 2 years. It’s therefore better to opt for even longer passwords. E.g. a 12 characters password would require little less than 2 thousand centuries to crack.

The problems with length

But this comes with some issues.

There are services that limit the number of characters we can use in passwords. They might set the limit to maybe a good 20 or just the infamous 8. There might be technical reasons for this, but most probably it’s just some kind of arbitrary decision. In any case, we can only opt to use the maximum allowed.

Then there is our laziness. Every once in a while we have to painfully type those passwords in fields that we don’t see and that, incidentally, could be seen by malware running on our devices.
And what about our memory? A long cryptic password will never be remembered.

The solution

A good password manager can solve the mentioned problems. You can find one to install on all your devices and almost forget how to type passwords.
You only need to remember one single password or even better one good passphrase. This must of course be really good; not a famous quote or the title of a famous novel or movie that everybody knows you like.

All other passwords are generated, remembered and almost always typed by the program. It can remember the rules used to generate the password for the specific service, and you can set it to generate the longest password you’ve ever dreamed of.

The manual alternative

Should you not feel comfortable with any software solution, there is still a possibility.

Let’s compare two passwords (please don’t use them):
C.a.3........ and H8k-O1!jj12x.
Which is more difficult to crack?
And which is easier to remember and type?

The first one, with its 13 characters compared to the 12 of the second, requires a huge additional amount of time to be cracked and is easier to remember and type. I’ve even chosen something easy to type on my mobile device.
The fact that there is a word in it, not even carefully masked, doesn’t matter, since the hackers can’t make any assumption.
And you must not use a symbol, just pad the core part of your password with any character or characters of your choice, and in the position you want, at the beginning, in the middle or at the end. And you can go wild in terms of length, at the end you just have to remember how many you have to type.

Still some problems

Life would be easier if all services would thoughtfully apply some common wisdom. We will still find some services limiting us to use digits, as if a PIN is the best thing on earth. Or some that will not accept symbols. And unfortunately we can still read about breaches that found passwords stored in clear text.

We must be wary about these services and follow common wisdom ourselves, without expecting them to do so.

A final thought

I hope I have convinced you that what really matters in a password is its length. A very long password with as many variants of characters as possible can be both memorable and secure despite any assumption the hackers can do.

There’s one more thing to take into consideration if the service provides it: the two-factor authentication.
If it’s provided, possibly based on application or hardware, use it!

If you need help on your security journey, contact us.