Password Security - is my Password Secure

Password Security – Why Secure Passwords Need Length Over Complexity

Password Security - is my Password Secure

Please create a new secure password.

Password has to meet the following criteria:

  • Must be at least 8 characters long.

  • Must contain at least:
    • one uppercase letter[A-Z]
    • one lowercase letter[a-z]
    • one numeric character [0-9]
    • one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?
  • Must not contain your login ID, email address, first, or last name.
  • It cannot contain repeating character strings of 3 or more identical characters. (E.g. '1111' or 'aaa')
To log in to the system, you must also:
  • Send in a blood sample with each log in
  • Send in a strand of hair
  • Tap your head while rubbing your stomach and say "Let me in!" three times
Sound familiar? Passwords these days are required to be more and more complex, and for the right reason. It is all too easy for a determined hacker to run a brute-force attack on a website in order to steal someone's password, especially if it is shorter. You know the fairly recent "iCloud security breach" where many photos of celebrities were stolen off their iCloud accounts? That was done through a brute-force attack, and it all could have been easily prevented if the passwords had been both more complex AND longer. Well that, and if Apple had some sort of brute-force prevention in place such as a limited amount of password guesses before that IP is locked out. But we will ignore that for now.

This may come as a surprise to some people, but a simple, yet long password is much harder to crack than a complex, but short password. Say that you're following the criteria that most websites make you follow in order to create a "complex" password. Your password needs to be at least 8 characters, needs to have a capital and lowercase letter, a number, and a symbol. Okay, so your password might come to look something like this: C0mpl3x! -- pretty complex, right? Not so fast.

Which one of these passwords do you think is easier to crack? C0mpl3x! or ThisIsMyPasswrd? Notice the missing 'o' in ThisIsMyPasswrd. If you said ThisIsMyPasswrd would be easier to crack, you'd be very wrong. Despite the fact that it doesn't use a number or a symbol, ThisIsMyPasswrd has nearly double the characters (15) as C0mpl3x! (8) which makes it significantly harder for a hacker to figure it out by using a brute-force attack. Also, since the 'o' is missing from the word "password", all of the pieces aren't full English words. This helps with password security as well. Although some letters are replaced for numbers in the C0mpl3x! password, it doesn't make it secure. Certain hack attempts know all about replacing letters with numbers, and C0mpl3x! might as well just read Complex!.

Computers are getting faster and faster each year, and a powerful home desktop would be able to crack many people's 8-character passwords in a matter of seconds. Yes, seconds in some cases.

Password Comparison Tables

Let's look at some tables. These values are coming from two great tools that you can use to check how secure your own password is. The first one is called How Secure is My Password (labeled HSIMP in the table below) and it determines how long it would take to crack your password using a brute-force attack. The other tool I used is called Passfault Analyzer (labeled PA in the table below) and it uses all sorts of methods for determining how secure your password is. This might include dictionary insertion, dictionary substitution, dictionary misspelling, repeated patterns, keyboard patterns, and more. So the Passfault Analyzer tool will usually calculate a lower time since it takes into account more than brute-force when analyzing your password.
Type Password Time (HSIMP) Time (PA) Security Level
8 character common word required 52 seconds <1 day Useless
8 random characters qkcrmztd 52 seconds <1 day Useless
8 random chars w/numbers kqwbv832 11 minutes <1 day Useless
8 random chars w/mixed
case, symbols, & numbers
J5bZ>9p! 20 days <1 day Risky
Type Password Time (HSIMP) Time (PA) Security Level
2 common word password orange tea 98 days <1 day Risky
3 common word password this is cool 546 years <1 day Risky
5 uncommon word password du-bi-du-bi-doo 12 million years <1 day Risky
You'll notice that the time it takes to crack your password according to How Secure is My Password which assumes a brute-force attack keeps getting larger and larger. This is due to the length of the password. Each character you can add onto your password adds tremendously more time when it comes to trying to crack it with a brute-force attack. However, according to the Passfault Analyzer, all of the passwords I have provided will be cracked in less than a day. That's not good. Why is this? Well, I'm using common dictionary words, simple patterns, and still don't have a password larger than 15 characters.

Let's change that. I will start using some longer passwords or passphrases which will be a number of words separated by either spaces or dashes along with adding some complexity such as lower/uppercase letters, numbers, and symbols. In fact, let's try some small sentences with punctuation as our password and see what the results are.
Type Password Time (HSIMP) Time (PA) Security Level
Passphrase 1 i own 2 dogs and 1 cat 1 sextillion years 330130 centuries Secure forever
Passphrase 2 I own 2 dogs and 1 cat! 30 octillion years 8594846 centuries Secure forever
Passphrase 3 #I own 2 dogs and 1 cat!? 285 nonillion years 1220882818 centuries Secure forever
Whoa... a crack time of 285 nonillion years and 1220882818 centuries from both sites? Now we're talking!

I can't stress enough the importance of having length paired with complexity. Passphrases need to start getting used rather than your typical password. Sure, it might take longer to type in, but the benefits greatly outweigh those slight disadvantages.

Passphrase Tips and Examples

Here is a list of tips to consider when creating a new passphrase:

  • Don't use common dictionary words - Ex. orange, car, password
  • Don't use sequential letters or numbers - Ex. 12345, abcde
  • Don't use repeated letters/numbers or keyboard patterns - Ex. 111, aaa, qwerty, asdfgh
  • Don't use the same passphrase for every site if you can help it. Something you could do would be to make a passphrase saying "I am accessing Facebook!" for Facebook, or "I am accessing YouTube!" for YouTube, etc.

  • Consider using spaces - Ex. Instead of making it "iown2dogs", make it "i own 2 dogs"
  • Consider using misspellings - Ex. Instead of making it "why would you do that", make it "why wuld u do tht". If the word is not in a dictionary, it helps make it more secure.
  • Consider using a long and complex passphrase - Ex. Instead of making it "i own 2 dogs and 1 cat", add some punctuation and capitalization to make it something like "I own 2 dogs, and 1 cat!"
Here is a list of example passphrases you could use to help spark some ideas along with the amount of time it would take to crack it according to the Passfault Analyzer:

  • One(1)+Seven(7)=Eight(8)!! - 9558454160 centuries
  • Me gu5ta L0s Angeles?! - 686 centuries
  • #My son's bday is 20,Dec() - 39490895060 centuries
  • *I gr4duated in twenty-ten. - 4042 centuries
  • I am accessing Facebook! - 1 century, 5 decades


All in all, it's time that we all start taking password security seriously by considering better practices when creating our passwords (unless you don't care about getting hacked of course). So many sites these days have you create a "complex" password which usually ends up being an 8-character password with a mix of letters, symbols, and numbers like J5bZ>9p!. Sites call passwords like these "strong" when in reality many of them could be hacked in under a day by a determined hacker.

We need to move away from passwords (generally using one word) and begin using passphrases which could be a sentence or multiple words. Not only are you preventing yourself from getting hacked, but they can also be extremely easy to remember. Which is easier to remember? J5bZ>9p! or I like kitty cats!? I would hope I like kitty cats! would be easier to remember and it would take almost 10 years longer to crack than J5bZ>9p!.

The longer you can make your passphrase while still adding some complexity, the better. A brute-force attack was used to hack multiple celebrities in the iCloud incident, and it could have been prevented had their passwords been longer and more complex. The problem is that many people use the same exact password for all their accounts such as their Facebook, email, and bank account. All it takes is one determined hacker and a weak password for all that information to be breached.

Do yourself a favor and put more thought into password security. You can create an extremely secure (yet very memorable) password/passphrase in a matter of seconds if you follow the tips mentioned in this post. There is no need to make some crazy random array of letters, numbers, and symbols which you will never remember. You'll thank yourself later when your personal info stays as it should... personal.

Comments 16

  1. Pingback: 10 Quick Tips on Cybersecurity, Privacy - Radical Compliance

  2. An interesting write up. I use 1Password myself to generate the passwords for me, makes it a lot easier to manage multiple passwords across many different accounts.

    It’s surprising just how many people believe a combination of a few random letters is secure, when in reality as shown above a string of easily rememberable words is a lot harder to crack.

    1. Post

      I haven’t used 1Password before, but definitely have heard of it. I may look into it sometime. But yes, I agree. Everyone believes that a random combination of a few letters/numbers/symbols is secure when really brute force attacks can crack those passwords in a very short time. A long string/sentence is much better!

  3. Pingback: Passwords – Complexity or Length? • Weblog for MIS 4153

  4. Another thing to add.

    Use current goals you have as your passphrase. That way you will have a better motivation, plus when your goals change, so do your passwords.

    Ex. “G0 to The Gym! Get Buf7”

    1. Post

      This is a fantastic piece of advice. In fact, I had a friend of mine tell me a few months ago that they do exactly this. Their password is the goal they want to work on each year, and they change their password as their goal changes. Easy to remember, and very secure!

  5. Pingback: A longer password is more secure | The Road Less Travelled

  6. Thank you soooo much for sharing this information! Between your article and Passfault, i changed a lot of my passwords, including the master password for LastPass. It is now good for a 15 digit number worth of centuries!

    All my information is much safer thanks to your article.

    1. Post

      Hi there! Thanks for the comment. I’m happy to hear you were able to change your password and make it much more secure. Having a very secure password for LastPass is crucial!

  7. Does the strength of passwords increase when you use words that arent even in the English language. Is a password that is entirely in spanish with words that are only native to a specific country harder to crack?

    1. Post

      That’s a good question, Konch. I suppose it depends on what the people trying to crack the password are using for their attacks, whether it be a dictionary looking for English words, Spanish words, or whatever. It’s usually good practice to put some letters/characters in there that don’t spell out a word to help throw off attacks.

  8. People should be wary of sites which ask for your password, *especially* if they’re asking you to transmit that to them, and *even more so* if that site is not running over HTTPS.

    For instance, one of the sites this article suggests (passfault) is not running over HTTPS (it’s also apparently a fork of an OWASP project?).

    1. Post

      Hey Peter, good catch. I didn’t realize Passfault wasn’t running over HTTPS, and I don’t know the whole story of how it’s related to an OWASP project. Appreciate the comment.

  9. I’m laughing because the password I just use would take like 4000000 centuries, according to the passfault website, for a $500,000 government computer to hack it.

    1. Post

Leave a Reply

Your email address will not be published. Required fields are marked *