Why should you worry about password length?

Is a longer password better than a shorter complex password? The answer is: maybe. Generally, a longer password will perform better against hacking attempts. However, if it uses common dictionary words, i.e. VanillaIceCream, then maybe not.

London Railway Station System Passwords Exposed During BBC TV Documentary

Gizmodo published a list of 25 most popular passwords in 2014 and the results are not surprising. Here’s the top 5:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

Some websites require more complex passwords but if users have the freedom to use whatever they want many people choose to use shorter passwords. A password of sufficient length will perform better against a password guesser or password cracker.

IT security experts recommend that you change password with 8 characters every week or so. The time between password changes increases with the password length. You can change passwords with 12 characters every 90 days and passwords with 15 characters every year. Admin passwords should be 15 characters or more.

Security auditors and regulations such as PCI DSS require password complexity which translates into an ugly mess that nobody remembers (i.e. 3#0%Tv:/dMa?.23), forcing people to write passwords down.

Password attackers know that when you force password complexity, most people resort to altering a common words, i.e. by replacing e with 3 as in m33rkat. They optimize their password cracking tools to guess at passwords using these common patterns.

How to deal with all this?

If you are even moderately active on the Internet, you probably have several hundred different accounts. Build a simple system for password management. You may want to break things down into three categories:

  • High security accounts - Set a long password for online bank accounts and other high-security accounts. Develop a modification scheme for each account so it always has a unique password.

  • Medium security accounts - These are your online subscriptions, utilities companies, perhaps your online photo service etc., simply services that you log in so frequently that you still remember login credentials. Have at least one long password for each category of medium security accounts.

  • Low security accounts - You will need an account for news sites, etc. In most cases, you will be OK with reusing the same simpler password. (Just get a bit more adventurous and don’t use 123456.)

Of course if you set up and use a password manager or a cloud access panel like Portadi, you may use strong, complex, and unique passwords for everything. If not, develop at least some system where you don’t reuse the same weak password everywhere.

Tip: Think of your password as a sentence, it will make remembering it easier.

comments powered by Disqus