Password Complexity vs. Password Length

It has become far more common these days to hear ‘normal’ people talk about password security, previously it was exclusively IT professionals and enthusiasts who would say things like “you need at least a number and symbol in your password for it to be secure”. Fortunately, we’re moving towards a future where more and more nontechnical or home users are actually understanding the reasons for ensuring a password is strong and hard for another person to guess.

Unfortunately, there is increasingly complex advice when it comes to choosing a secure password which leaves people confused or following practices which are not as useful as others.

This post will focus on the two main pieces of advice for choosing a secure password, explain the reasons why you should choose one or other (or combine them) and finally give recommendations aligned with other best practices and also simple to remember and repeatable method for having secure and hard to guess passwords every time. So firstly let’s define what complexity and length mean when discussing passwords.

Complexity:

Passwords are almost always made up of a combination of letters, numbers and symbols. The complexity comes in when you substitute or add combinations of all three to create a hard to guess (and in many cases hard to remember) password.
An example would be taking the name of your favourite book (Data and Goliath), film (Fight Club) and tv show (Grimm) and using just the first letters of each to form something like this: “dagfcg”. Now, this is a completely random and hard to guess (for a human) password. However, it is only 6 characters long and simple for a computer to work out after all computers can guess passwords at a rate of millions a minute and therefore would make short work of a password like “dagfcg”.
In this case, some advice would tell you to make it complex and therefore make it far harder to guess. Take the password and now add a number and a symbol to it. We’ll use the number 5 and the dollar symbol ($). So “dagfcg” becomes “5dagfcg$”. Instantly you have a harder to guess password (for a human or computer) and it’s now 8 characters long, which is at least better than 6! The next technique takes a different approach and favours length over complexity.

Length:

The average password is often between 6-9 digits in length and (hopefully) contains a mix of letters, numbers and symbols. The ‘complex’ method above when in isolation and with short passwords (under 12 characters) actually proves to have limited effectiveness in keeping your accounts and computers secure. Due to the huge scale passwords are attacked and guess by computers these days it is important that passwords are also longer (at least 12 characters) in length.
This presents a problem, while our above example of “dagfcg” was easy to remember (book, film and tv show) we need to add twice as many memorable things to our password method to meet the 12 character minimum. Fortunately, while short passwords should NEVER contain simple words or sequences of numbers (like ‘Batman’ or ‘123456’), longer passwords can have simple words strung together which actually creates a long and strong password.
Using our above example, “dagfcg” could become something like this: “DataFightGrimm” which is 14 characters, easy to remember and meets our requirement of being 12 characters or more. A computer could easily guess any of those words in isolation as a password, but together they create a unique and very hard to crack the password.

Complexity & Length:

Having a simple long password which is easy to remember is better than the earlier short but complex password. However, to really ensure your password is secure it should incorporate both techniques. So taking what we have learned from each of them we could create a password like this: “5DataFightGrimm$”. This password is now 16 characters long, contains lower and upper case letters, a number and a symbol. This is the ideal type of password, because you can easily recall the primary words (just think, favourite book, film and tv show) and then remember you started it with a number five (5) and ended it with a dollar symbol ($).

We have now created a great looking password, however we now have a problem. If we use it on every website and service we have it increases the risk of that website being compromised and the password being leaked. Now, this ’shouldn’t’ ever happen, but it does. Whether it’s Evernote or Target, these companies cannot guarantee that the database which contains your complex and long password won’t make it’s way out onto the internet via some hacker forum. Therefore we need a way to ensure we use a different password for every different website or service we use. With many online users having 100’s of online accounts this would be highly challenging to use the above methods and also maintain complicity and length.

Therefore we use a variation technique which works like this. You take your ‘root’ password, which should be both long and complex (just like our one above) and then add a slight variation for every different account you have. An example for the BBC website would look something like this: “5DataFightGrimm$BBC” or like this for the service Twitter: “5DataFightGrimm$TWIT”. This instantly ensures that your password will still be easy to remember as you have one ‘root’ password with slight variations based on the account your logging into. All you need to do is say the name of the service or website in your head and you then know the additional letters at the end of your password. You could also place them at the start of the password or middle. As long as your method is consistent you can have 100’s of variations to your password but be able to remember them each time you need them.

Summary:

There are two primary lessons to remember:

  • Length First, Complexity Second:
    Although complexity does boost the security of a password, the length of a password is of greater importance, specifically ensuring the length is 12 or more characters.
  • Use Variation
    Never use the same password (strong or not) on multiple websites, you don’t know what they are doing with them and don’t know if they are stored safely. Therefore use a variation of your ‘master’ or ‘root’ password on each site by adding the letters, acronyms or syllables to the password per account you need to have a password for.

Note: This was first authored (by myself) for a small blog/project which is now shut down and I wanted to keep the content.

Other Posts