How long should a password be?

  • Between 5 and 8 characters

    Votes: 2 3.4%
  • Between 8 and 12 characters

    Votes: 22 37.9%
  • Between 15 and 20 characters

    Votes: 17 29.3%
  • 20 characters or more

    Votes: 14 24.1%
  • Length doesn't matter

    Votes: 3 5.2%
  • Total voters
    58

Brye

New Member
There's a lot of confusion concerning password security, especially among your average person. So I thought it would be good to open up a discussion in order to educate people, including ourselves. How important is it to create a long password? Is length even important or is compexity the most important?
 
Last edited:

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Some (old) info, but no clear answer from Troy Hunt of "Have I Been Pwned":
 

TairikuOkami

Level 28
Verified
Content Creator
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.

If u are using password manager just go as long as it allow 😜
If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
 

blackice

Level 27
Verified
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.


If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
Most of the time credentials are stolen or common passwords checked. I haven’t seen a lot of reports of brute force used in non-targeted hacks. If/when the average joe starts having their account brute forced god help us all.
 

Thales

Level 9
I think length is more important than complexity. Why is that?
The cracker will never know if you use symbols and numbers or a simple but long password with full of just lowercase characters or just numbers.
If the dictionary attack or backdoor doesn't work they won't try brute force. It would take years. Without knowing your solution they need to use every possible combination of lowercase and uppercase letters, numbers and symbols.

But I am open to other opinions.
 

bribon77

Level 33
Verified
Well, if I think the size in this case does matter.
I have used decryptors.
And I managed to decipher up to three letters, then it becomes difficult, but I am not a decryption specialist, there are tools that hackers use that can facilitate it if it is a short password.
 

simmerskool

Level 9
Verified
Malware Tester

South Park

Level 7
Verified
If using a password manager, I would recommend generating the longest random password the site will allow. The default setting of 20 or 24 chars in KeePass should be sufficient for most uses. (Some banks, surprisingly, limit the max length to as little as 10 or 12 chars or forbid special characters!)
 

Local Host

Level 22
Verified
but Mr Gibson says the most important factor is password length!

of course he discusses complexity too.
Both length and complexity add to the password bitrate, complexity more than length (you should have uppercase, lowercase, numbers and symbols regardless of your password length).

A simple password with 32 characters is more insecure than a complex password with 16 characters.
 

Gangelo

Level 3
Verified
I don't believe that stolen credentials are being generated by brute force attacks. You must be a high value target for the hacker to spend all the time and effort to brute force your password. If the website database has been breached, complexity & length do not matter. It should only be as long and complex to not be guessed by an outsider.

I do the middle solution, fixed 12 characters long with uppercase, lowercase, numbers and special characters generated by my password manager.
 

struppigel

Moderator
Verified
Staff member
Is length even important or is compexity the most important?
I would like to pick this subquestion.

➡ Given that the complexity is how many characters you are allowed to use for the password.
➡ Given that a more secure password is one that would need more time to bruteforce.

The number of possible words you would need to test with bruteforcing is then our metric of saying how secure the password is.

You calculate the number of possible passwords using: NumberOfPasswords = NumberOfCharacters^PasswordLength
E.g., if you have a password of length 3 and digits only (aka 10 characters): 10^3 = 1000
On the other hand a password of length 10 and 3 characters: 3^10 = 59049

ℹ So length is more important than complexity.

-----------------------------------------------------------------------

However, this theoretical approach does not take into account dictionary attacks which are commonly used.
In practical terms:
➡ password length and complexity only need to be enough so that bruteforcing doesn't help anymore. A password of length 24 is practically as good as 12 because both can't be bruteforced in a reasonable time frame
➡ beyond that you definitely need to avoid dictionary attacks by:
  • Not reusing passwords that you use somewhere else (one dataleak of plain text passwords and your passwords will potentially be added to word lists).
  • Not using passwords that are likely used by other people.
  • Avoiding actual words with meaning in general. That includes combinations of words with added digits or words in 1337 speak. Attackers know that these are typical modifications and may generate these variations automatically.
 
Top