The debate over whether to prioritize password length or complexity is as old as computers themselves. Over the past decade, the popular choice has been to opt for a moderately lengthy but complex password. Even Microsoft enforces this approach by requiring domain users to use complex passwords by default. However, at Security Ideals, we believe that while adding more characters is beneficial, prioritizing a longer password over a complex one offers superior security. This blog will delve deeper into why this approach is more effective and provide guidelines for creating robust passwords.
At Security Ideals, we frequently crack passwords for our customers. From our extensive experience, longer passwords comprised of concatenated words or phrases are significantly harder to crack than shorter, complex ones. With the advancement of computing power, particularly cloud computing platforms equipped with GPU-based cracking techniques, even a 7 or 8-character password with numbers and symbols doesn't take long to break. This makes the case for rethinking our approach to password creation and focusing more on length rather than complexity alone.
When creating a password, users often wonder whether to focus on length or complexity. Here’s why length often trumps complexity:
Increased Combinations: Each additional character in a password exponentially increases the number of possible combinations. For instance, an 8-character password with mixed characters has about 6.1 quadrillion combinations, whereas a 16-character password has an astronomical number of combinations, making it significantly more challenging to crack.
User Friendliness: Users are less likely to write down their passwords when they are simple yet long. A 15 or 16-character password, even without symbols, is nearly impossible to crack due to time and speed constraints. Moreover, longer passwords can be easier to remember when they are based on a phrase or a series of words rather than a complex string of characters.
Resistance to Modern Cracking Techniques: Modern password-cracking techniques leverage immense computing power. GPU-based cracking methods can attempt billions of password combinations per second. Longer passwords provide a substantial buffer against such brute force attacks.
While length is crucial, complexity also plays a role in creating a strong password. Complexity involves using a mix of letters (both uppercase and lowercase), numbers, and symbols. This makes the password less predictable and harder to guess using dictionary attacks, where attackers use common words and variations to crack passwords. However, the complexity should not compromise usability.
Ideally, a strong password should balance both length and complexity. For example, a password like "4pL!e#9kS@wQ" is both long and complex, making it very difficult to crack. However, from a practical standpoint, longer passwords are often more effective because adding each additional character exponentially increases the number of possible combinations.
To enhance the security of your passwords, follow these golden rules:
Avoid Basic Dictionary Words: Choose words that won't be found in a basic dictionary. If necessary, modify words slightly, such as using "appple" instead of "apple."
String Multiple Words or Phrases Together: Combine words or phrases with numbers to create a longer password. For example, "BlueSky$Mountain#42" is both long and complex.
Keep It Long: Ensure your password is longer than 12 characters. The longer, the better. Aim for at least 15-16 characters.
Do Not Post Password Requirements Online: Sharing your company's password requirements publicly makes it easier for attackers to tailor their attacks. Keep these details private.
Consider Your Password Reset Mechanism: Many attackers target password reset options because they are often simpler to exploit than the passwords themselves. Ensure your reset mechanisms are secure.
Use Passphrases: Instead of a single word, use a series of unrelated words or a phrase. For example, "BlueSkyMountain42" is both long and memorable. A passphrase can be something like "correct horse battery staple," which is easy to remember and type, but very hard to crack.
Add Randomness: Use a password manager to generate and store random, long passwords. This tool can help create unique passwords for each of your accounts without the need to remember each one individually. Password managers can generate passwords like "J&k8^d$2L#v@P9w," which are highly secure and unique for each account.
Regularly Update Passwords: Regularly changing your passwords can mitigate the risk of them being compromised. Set a reminder to update your passwords every few months, especially for critical accounts.
Enable Multi-Factor Authentication (MFA): Adding an additional layer of verification, such as a fingerprint scan or a code sent to your phone, enhances security. MFA ensures that even if your password is compromised, an attacker would still need another form of verification to gain access.
Be Cautious with Security Questions: Security questions are often used as a backup for password recovery. Choose questions and answers that are not easily guessable or available on your social media profiles. For instance, use answers that are not directly related to the question but are memorable to you.
In conclusion, the debate over password length and complexity is crucial in understanding how to protect your accounts effectively. While complexity is important, prioritizing password length provides a more robust defense against modern password-cracking techniques. By following best practices and understanding the importance of longer passwords, you can significantly improve your cybersecurity posture. Remember, the goal is to create passwords that are both secure and user-friendly, reducing the likelihood of them being written down or forgotten.
Adopting a strategy that emphasizes password length, while still maintaining a level of unpredictability, will help protect your accounts from unauthorized access in an increasingly digital world. Stay informed, stay secure, and keep your passwords strong.
By implementing these strategies, you can create a robust defense against cyber threats. Educate your team and colleagues about the importance of strong passwords and encourage the use of password managers and MFA. In a world where cyber threats are constantly evolving, staying ahead with strong, secure passwords is your first line of defense.