How long should a password be?

How long should a password be?

  • Between 5 and 8 characters

    Votes: 2 3.4%
  • Between 8 and 12 characters

    Votes: 22 37.9%
  • Between 15 and 20 characters

    Votes: 17 29.3%
  • 20 characters or more

    Votes: 14 24.1%
  • Length doesn't matter

    Votes: 3 5.2%

  • Total voters
    58

Brye

New Member
Thread author
Jan 24, 2020
6
There's a lot of confusion concerning password security, especially among your average person. So I thought it would be good to open up a discussion in order to educate people, including ourselves. How important is it to create a long password? Is length even important or is compexity the most important?
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Some (old) info, but no clear answer from Troy Hunt of "Have I Been Pwned":
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.

If u are using password manager just go as long as it allow 😜
If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Note, that most strength meters uses CPU as a baseline, but today, GPU is used to calculate algorithms, so 1 PC with 4 GPUs is more powerful.


If it were only possible, I usually have to test, what is the allowed maximum. Paypal is a total disappointment, with its 20 characters limit. o_O
Most of the time credentials are stolen or common passwords checked. I haven’t seen a lot of reports of brute force used in non-targeted hacks. If/when the average joe starts having their account brute forced god help us all.
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
I think length is more important than complexity. Why is that?
The cracker will never know if you use symbols and numbers or a simple but long password with full of just lowercase characters or just numbers.
If the dictionary attack or backdoor doesn't work they won't try brute force. It would take years. Without knowing your solution they need to use every possible combination of lowercase and uppercase letters, numbers and symbols.

But I am open to other opinions.
 
  • Like
Reactions: Nevi

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Well, if I think the size in this case does matter.
I have used decryptors.
And I managed to decipher up to three letters, then it becomes difficult, but I am not a decryption specialist, there are tools that hackers use that can facilitate it if it is a short password.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
L

Local Host

but Mr Gibson says the most important factor is password length!

of course he discusses complexity too.
Both length and complexity add to the password bitrate, complexity more than length (you should have uppercase, lowercase, numbers and symbols regardless of your password length).

A simple password with 32 characters is more insecure than a complex password with 16 characters.
 

Gangelo

Level 6
Verified
Well-known
Jul 29, 2017
268
I don't believe that stolen credentials are being generated by brute force attacks. You must be a high value target for the hacker to spend all the time and effort to brute force your password. If the website database has been breached, complexity & length do not matter. It should only be as long and complex to not be guessed by an outsider.

I do the middle solution, fixed 12 characters long with uppercase, lowercase, numbers and special characters generated by my password manager.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Is length even important or is compexity the most important?

I would like to pick this subquestion.

➡️ Given that the complexity is how many characters you are allowed to use for the password.
➡️ Given that a more secure password is one that would need more time to bruteforce.

The number of possible words you would need to test with bruteforcing is then our metric of saying how secure the password is.

You calculate the number of possible passwords using: NumberOfPasswords = NumberOfCharacters^PasswordLength
E.g., if you have a password of length 3 and digits only (aka 10 characters): 10^3 = 1000
On the other hand a password of length 10 and 3 characters: 3^10 = 59049

ℹ️ So length is more important than complexity.

-----------------------------------------------------------------------

However, this theoretical approach does not take into account dictionary attacks which are commonly used.
In practical terms:
➡️ password length and complexity only need to be enough so that bruteforcing doesn't help anymore. A password of length 24 is practically as good as 12 because both can't be bruteforced in a reasonable time frame
➡️ beyond that you definitely need to avoid dictionary attacks by:
  • Not reusing passwords that you use somewhere else (one dataleak of plain text passwords and your passwords will potentially be added to word lists).
  • Not using passwords that are likely used by other people.
  • Avoiding actual words with meaning in general. That includes combinations of words with added digits or words in 1337 speak. Attackers know that these are typical modifications and may generate these variations automatically.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Code:
RpZ@qxrdyaUXVuz6RQrn!@LP5FdvWogC!Hsx*$*HVWh%qtQJBz%Z!8unYCbUD*M^S&tx%gaMDLnyC^^%Nvd6trz9ovZrUW$ARDGU*9YgukBpi4hpd^Zcg!SXLKZTMyRj
I pick 128 characters long password (as seen above) and Microsoft is like: 😅
capture_06132020_112209.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top