Security Corner

Sep 29 2015   3:41PM GMT

Passwords today: How long and how complex is enough?

Ken Harthun Ken Harthun Profile: Ken Harthun

Data breach
High performance computing

In these days of of high profile data breaches, it behooves us to take another look (or two) at passwords.  Computing power has increased at phenomenal rates over the years making it (relatively) straightforward to defeat short and simple passwords with common, freely available hacking tools. If you want to explore the exponential increase in computing power further, this Wikipedia article on Moore’s Law is quite enlightening. Here’s an interesting comparison:

[Illustration] An Osborne Executive portable computer, from 1982, with a Zilog Z80 4 MHz CPU, and a 2007 AppleiPhone with a 412 MHz ARM11 CPU; the Executive weighs 100 times as much, has nearly 500 times the volume, costs approximately 10 times as much (adjusted for inflation), and has about 1/100th the clock frequency of the smartphone.

In March, 2014, I posted “Oh no! Not another password post!” In that post, I recommended 12 characters for a minimum length and said that 15 characters is even better.  I still stand by those numbers at this date; however, I did not address password complexity in that post. Length means nothing if the password is either one that is commonly used–such as those on this list–or is a dictionary word or common phrase. “LetMeIn” and “antidisestablishmentarianism” are equally useless. Even “TippecanoeandTylerToo,” though seemingly complex, would be easily cracked as it’s a common phrase from American history.

Complexity connotes intricacy: The more intricate the pattern of a maze, for instance, the more complex its solution. Intricacy connotes quantity: The more parts the there are to a machine, the more intricate its design. Therefore, we make passwords more complex by using more parts in their creation. This is simply illustrated by comparison. “Password” is eight characters long and uses only letters; “P12@#or9” is also eight characters long but uses letters, numerals and special characters. The latter is the more complex.

So, how long is long enough; how complex is complex enough? A password that is 12 to 15 characters long, is not a common word or phrase, is a mixture of upper and lower case letters, uses special characters and some numerals, should be good for most situations.

Next up: Password advice from Great Britain’s GCHQ.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: