How long should a password be?

How long should a password be?

  • Between 5 and 8 characters

    Votes: 2 3.4%

  • Between 8 and 12 characters

    Votes: 22 37.9%

  • Between 15 and 20 characters

    Votes: 17 29.3%

  • 20 characters or more

    Votes: 14 24.1%

  • Length doesn't matter

    Votes: 3 5.2%
  • Total voters
    58
Brye

Brye

New Member
Thread author
Jan 24, 2020
6
34
6
USA
There's a lot of confusion concerning password security, especially among your average person. So I thought it would be good to open up a discussion in order to educate people, including ourselves. How important is it to create a long password? Is length even important or is compexity the most important?
 
Last edited:
  • Like
Reactions: CyberTech, DJ Panda, Protomartyr and 2 others
Some (old) info, but no clear answer from Troy Hunt of "Have I Been Pwned":
www.troyhunt.com

Passwords Evolved: Authentication Guidance for the Modern Era

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer [https://www.wired.com/2012/01/
www.troyhunt.com www.troyhunt.com
www.troyhunt.com

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules...
www.troyhunt.com www.troyhunt.com
haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
haveibeenpwned.com haveibeenpwned.com
 
  • Like
  • +Reputation
Reactions: Nevi, Protomartyr, roger_m and 2 others
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.
password.kaspersky.com

Password Checker & Secure Random Password Generator | Kaspersky

Check your password security and see if it can resist hackers. Use our random password generator to instantly create strong, unique passwords and stay protected.
password.kaspersky.com password.kaspersky.com

Reajoan Mashfik said:
If u are using password manager just go as long as it allow 😜
Click to expand...
If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
 
  • Like
Reactions: Nevi, Protomartyr, roger_m and 3 others
TairikuOkami said:
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.
password.kaspersky.com

Password Checker & Secure Random Password Generator | Kaspersky

Check your password security and see if it can resist hackers. Use our random password generator to instantly create strong, unique passwords and stay protected.
password.kaspersky.com password.kaspersky.com


If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
Click to expand...
Most of the time credentials are stolen or common passwords checked. I haven’t seen a lot of reports of brute force used in non-targeted hacks. If/when the average joe starts having their account brute forced god help us all.
 
  • Like
Reactions: harlan4096, Protomartyr, roger_m and 2 others
I think length is more important than complexity. Why is that?
The cracker will never know if you use symbols and numbers or a simple but long password with full of just lowercase characters or just numbers.
If the dictionary attack or backdoor doesn't work they won't try brute force. It would take years. Without knowing your solution they need to use every possible combination of lowercase and uppercase letters, numbers and symbols.

But I am open to other opinions.
 
  • Like
Reactions: Nevi
Well, if I think the size in this case does matter.
I have used decryptors.
And I managed to decipher up to three letters, then it becomes difficult, but I am not a decryption specialist, there are tools that hackers use that can facilitate it if it is a short password.
 
  • Like
Reactions: conceptualclarity and stefanos
  • Like
Reactions: Nevi, upnorth and roger_m
simmerskool said:
but Mr Gibson says the most important factor is password length!

GRC's | Password Haystacks: How Well Hidden is Your Needle?

Password Haystacks: How Well Hidden is Your Needle?
www.grc.com www.grc.com

of course he discusses complexity too.
Click to expand...
Both length and complexity add to the password bitrate, complexity more than length (you should have uppercase, lowercase, numbers and symbols regardless of your password length).

A simple password with 32 characters is more insecure than a complex password with 16 characters.
 
  • Like
  • +Reputation
Reactions: Nevi, harlan4096, Outpost and 2 others
I don't believe that stolen credentials are being generated by brute force attacks. You must be a high value target for the hacker to spend all the time and effort to brute force your password. If the website database has been breached, complexity & length do not matter. It should only be as long and complex to not be guessed by an outsider.

I do the middle solution, fixed 12 characters long with uppercase, lowercase, numbers and special characters generated by my password manager.
 
  • Like
Reactions: amirr, simmerskool, Protomartyr and 2 others
Brye said:
Is length even important or is compexity the most important?
Click to expand...

I would like to pick this subquestion.

➡️ Given that the complexity is how many characters you are allowed to use for the password.
➡️ Given that a more secure password is one that would need more time to bruteforce.

The number of possible words you would need to test with bruteforcing is then our metric of saying how secure the password is.

You calculate the number of possible passwords using: NumberOfPasswords = NumberOfCharacters^PasswordLength
E.g., if you have a password of length 3 and digits only (aka 10 characters): 10^3 = 1000
On the other hand a password of length 10 and 3 characters: 3^10 = 59049

ℹ️ So length is more important than complexity.

-----------------------------------------------------------------------

However, this theoretical approach does not take into account dictionary attacks which are commonly used.
In practical terms:
➡️ password length and complexity only need to be enough so that bruteforcing doesn't help anymore. A password of length 24 is practically as good as 12 because both can't be bruteforced in a reasonable time frame
➡️ beyond that you definitely need to avoid dictionary attacks by:
  • Not reusing passwords that you use somewhere else (one dataleak of plain text passwords and your passwords will potentially be added to word lists).
  • Not using passwords that are likely used by other people.
  • Avoiding actual words with meaning in general. That includes combinations of words with added digits or words in 1337 speak. Attackers know that these are typical modifications and may generate these variations automatically.
 
  • Like
  • +Reputation
Reactions: simmerskool, Protomartyr, South Park and 5 others
Code: 
RpZ@qxrdyaUXVuz6RQrn!@LP5FdvWogC!Hsx*$*HVWh%qtQJBz%Z!8unYCbUD*M^S&tx%gaMDLnyC^^%Nvd6trz9ovZrUW$ARDGU*9YgukBpi4hpd^Zcg!SXLKZTMyRj
I pick 128 characters long password (as seen above) and Microsoft is like: 😅
capture_06132020_112209.jpg
 
  • HaHa
  • Like
Reactions: Stopspying, Gandalf_The_Grey, harlan4096 and 5 others

You may also like...