How long is your password?

I think its safe to assume anyone who has used the internet at some point in time will be required to create an account for a website. And while your identifiable information might vary (username, screen name, email address etc.) you will always be required to supply a password to go along with it. Most sites these days in addition will advise you of certain password requirements, for example the password has to contain a number, uppercase letter, symbol and/or must meet a minimum character length. This is known as password complexity.

For a long time we’ve been taught that a good password is one that is unique (a non-duplicated password that you only use for a particular account), and complex (a mix of the characters described above). But what about password length? Does this matter as long as your password meets the minimum character length and can a longer password provide more security than a complex password? The short answer is yes but there’s much more to it.

the length of your password can EXPONENTIALLY increase its security and reduce the likelihood that a hacker will be able to compromise your password

While complexity is a very important component to password strength and security, the length of your password can EXPONENTIALLY increase its security and reduce the likelihood that a hacker will be able to compromise your password. Understand that hackers have many methods and tools at their disposal to crack someone’s password, however our goal should be to try and make it much harder for them to do so as nothing digital is “hack-proof”. Many hackers tend to go after soft targets who have weak security measures in place so by strengthen your password, you make yourself a less likely target.

My personal recommendation is the longer your password, the more secure it is. This of course could be undermined if you use a password like “january3rdismybirthday”. While this password is indeed long (22 characters) the password itself uses Dictionary words, common words that are found in a dictionary and are susceptible to password attacks. The password itself also lacks complexity. A much more secure password would be “J@nu@rY3rD!SmyB*rt#D@Y”. Not only does this variation have length, but also incorporates complexity through the use of uppercase letters, symbols and numbers. A neat little tool called howsecureismypassword.net allows you to test your current password(s) and it gives you an approximation on how long a standard computer can crack your password using special software. According to the site, january3rdismybirthday would take up to 137 Quadrillion years to crack, or 137,000,000,000,000,000. J@nu@rY3rD!SmyB*rt#D@Y would take 2 septillion years or 2,000,000,000,000,000,000,000,000. Compare that to a common, short password like 1234567 (yes, people do use this as their password…) which would take 0.1 seconds to crack, if not less.

Many hackers tend to go after soft targets who have weak security measures in place so by strengthen your password, you make yourself a less likely target.

I myself have been guilty of using a 6 character, dictionary word password in the past that howsecureismypassword.net says could be cracked INSTANTLY. If we as a society are to start taking information security more seriously and protect our online identities and data, short, non-complex passwords should no longer be the standard. Take the time today to evaluate your current passwords and decide if they need to be changed to be more secure.

Written by Paul Tolbert
Paul Tolbert is an email security specialist & tech blogger living in Pensacola, Florida. He is the founder of TolbertSecurity.com where he post informative tips, research and up to date news regarding cyber security.