Crambler is supported by its readers. If you purchase through a link on our site, we may earn a commission. Learn more

Password Security Why Secure Passwords Need Length Over Complexity

Please create a new secure password.

Password has to meet the following criteria:

  • Must be at least 8 characters long.
  • Must contain at least:
    • one uppercase letter[A-Z]
    • one lowercase letter[a-z]
    • one numeric character [0-9]
    • one special character from this set: ` ! @ $ % ^ & * ( ) – _ = + [ ] ; : ‘ ” , < . > / ?
  • Must not contain your login ID, email address, first, or last name.
  • It cannot contain repeating character strings of 3 or more identical characters. (E.g. ‘1111’ or ‘aaa’)

To log in to the system, you must also:

  • Send in a blood sample with each log in
  • Send in a strand of hair
  • Tap your head while rubbing your stomach and say “Let me in!” three times

Sound familiar? Passwords these days are required to be more and more complex, and for the right reason. It is all too easy for a determined hacker to run a brute-force attack on a website in order to steal someone’s password, especially if it is shorter.

Do you remember the “iCloud security breach” where many photos of celebrities were stolen off their iCloud accounts? That was done through a brute-force attack, and it all could have been easily prevented if the passwords had been both more complex AND longer. Well that, and if Apple had some sort of brute-force prevention in place such as a limited amount of password guesses before that IP is locked out. But we will ignore that for now.

This may come as a surprise to some people, but a simple, yet long password is much harder to crack than a complex, but short password. Say that you’re following the criteria that most websites make you follow in order to create a “complex” password. Your password needs to be at least 8 characters, needs to have a capital and lowercase letter, a number, and a symbol. Okay, so your password might come to look something like this: C0mpl3x! — pretty complex, right? Not so fast.

Which one of these passwords do you think is easier to crack? C0mpl3x! or ThisIsMyPasswrd? Notice the missing ‘o’ in ThisIsMyPasswrd. If you said ThisIsMyPasswrd would be easier to crack, you’d be very wrong.

Despite the fact that it doesn’t use a number or a symbol, ThisIsMyPasswrd has nearly double the characters (15) as C0mpl3x! (8) which makes it significantly harder for a hacker to figure it out by using a brute-force attack.

Also, since the ‘o’ is missing from the word “password”, all of the pieces aren’t full English words. This helps with password security as well. Although some letters are replaced for numbers in the C0mpl3x! password, it doesn’t make it secure. Certain hack attempts know all about replacing letters with numbers and C0mpl3x! might as well just read Complex!.

Computers are getting faster and faster each year, and a powerful home desktop would be able to crack many people’s 8-character passwords in a matter of seconds. Yes, seconds in some cases.

Password Comparison Tables

Let’s look at some tables. These values are coming from two great tools that you can use to check how secure your own password is. The first one is called How Secure is My Password (labeled HSIMP in the table below) and it determines how long it would take to crack your password using a brute-force attack. The other tool I used is called Passfault Analyzer (labeled PA in the table below) and it uses all sorts of methods for determining how secure your password is. This might include dictionary insertion, dictionary substitution, dictionary misspelling, repeated patterns, keyboard patterns, and more. So the Passfault Analyzer tool will usually calculate a lower time since it takes into account more than brute-force when analyzing your password.

TypePasswordTime (HSIMP)Time (PA)Security Level
8 character common wordrequired52 seconds<1 dayUseless
8 random charactersqkcrmztd52 seconds<1 dayUseless
8 random chars w/numberskqwbv83211 minutes<1 dayUseless
8 random chars w/mixed
case, symbols, & numbers
J5bZ>9p!20 days<1 dayRisky
TypePasswordTime (HSIMP)Time (PA)Security Level
2 common word passwordorange tea98 days<1 dayRisky
3 common word passwordthis is cool546 years<1 dayRisky
5 uncommon word passworddu-bi-du-bi-doo12 million years<1 dayRisky

You’ll notice that the time it takes to crack your password according to How Secure is My Password which assumes a brute-force attack keeps getting larger and larger. This is due to the length of the password. Each character you can add onto your password adds tremendously more time when it comes to trying to crack it with a brute-force attack. However, according to the Passfault Analyzer, all of the passwords I have provided will be cracked in less than a day. That’s not good. Why is this? Well, I’m using common dictionary words, simple patterns, and still don’t have a password larger than 15 characters.

Let’s change that. I will start using some longer passwords or passphrases which will be a number of words separated by either spaces or dashes along with adding some complexity such as lower/uppercase letters, numbers, and symbols. In fact, let’s try some small sentences with punctuation as our password and see what the results are.

TypePasswordTime (HSIMP)Time (PA)Security Level
Passphrase 1i own 2 dogs and 1 cat1 sextillion years330130 centuriesSecure forever
Passphrase 2I own 2 dogs and 1 cat!30 octillion years8594846 centuriesSecure forever
Passphrase 3#I own 2 dogs and 1 cat!?285 nonillion years1220882818 centuriesSecure forever

Whoa… a crack time of 285 nonillion years and 1220882818 centuries from both sites? Now we’re talking!

I can’t stress enough the importance of having length paired with complexity. Passphrases need to start getting used rather than your typical password. Sure, it might take longer to type in, but the benefits greatly outweigh those slight disadvantages.

Passphrase Tips and Examples

Here is a list of tips to consider when creating a new passphrase:

  • Don’t use common dictionary words – Ex. orange, car, password
  • Don’t use sequential letters or numbers – Ex. 12345, abcde
  • Don’t use repeated letters/numbers or keyboard patterns – Ex. 111, aaa, qwerty, asdfgh
  • Don’t use the same passphrase for every site if you can help it. Something you could do would be to make a passphrase saying “I am accessing Facebook!” for Facebook, or “I am accessing YouTube!” for YouTube, etc.
  • Consider using spaces – Ex. Instead of making it “iown2dogs”, make it “i own 2 dogs”
  • Consider using misspellings – Ex. Instead of making it “why would you do that”, make it “why wuld u do tht”. If the word is not in a dictionary, it helps make it more secure.
  • Consider using a long and complex passphrase – Ex. Instead of making it “i own 2 dogs and 1 cat”, add some punctuation and capitalization to make it something like “I own 2 dogs, and 1 cat!”

Here is a list of example passphrases you could use to help spark some ideas along with the amount of time it would take to crack it according to the Passfault Analyzer:

  • One(1)+Seven(7)=Eight(8)!! – 9558454160 centuries
  • Me gu5ta L0s Angeles?! – 686 centuries
  • #My son’s bday is 20,Dec() – 39490895060 centuries
  • *I gr4duated in twenty-ten. – 4042 centuries
  • I am accessing Facebook! – 1 century, 5 decades


All in all, it’s time that we all start taking password security seriously by considering better practices when creating our passwords (unless you don’t care about getting hacked of course). So many sites these days have you create a “complex” password which usually ends up being an 8-character password with a mix of letters, symbols, and numbers like J5bZ>9p!. Sites call passwords like these “strong” when in reality many of them could be hacked in under a day by a determined hacker.

We need to move away from passwords (generally using one word) and begin using passphrases which could be a sentence or multiple words. Not only are you preventing yourself from getting hacked, but they can also be extremely easy to remember. Which is easier to remember? J5bZ>9p! or I like kitty cats!? I would hope I like kitty cats! would be easier to remember and it would take almost 10 years longer to crack than J5bZ>9p!.

The longer you can make your passphrase while still adding some complexity, the better. A brute-force attack was used to hack multiple celebrities in the iCloud incident, and it could have been prevented had their passwords been longer and more complex. The problem is that many people use the same exact password for all their accounts such as their Facebook, email, and bank account. All it takes is one determined hacker and a weak password for all that information to be breached.

Do yourself a favor and put more thought into password security. You can create an extremely secure (yet very memorable) password/passphrase in a matter of seconds if you follow the tips mentioned in this post. There is no need to make some crazy random array of letters, numbers, and symbols which you will never remember. You’ll thank yourself later when your personal info stays as it should… personal.

Similar Posts


  1. thank you, thank you, thank you! As a senior I detest having to make different passwords!!! It sure was the Lord who put your page in front of me. I understand so much better now.

  2. I used this article to post on my business Facebook and to use for managers at my business to learn about the reason for long passwords. Thanks for the detailed post.

  3. I don’t understand the need for complex passwords when most sites for important stuff (financial) only give you 3 atempts then lock you out. And many other sites once you have guessed 5 or more times add growing amount of time between each subsequent guess making 1,000’s of guesses impossible.

    So why all the fuss over complex passwords?

    1. The whole idea behind complex passwords is to (hopefully) prevent hackers from gaining access to your account easier. However, this post is saying that you don’t need some crazy combination of letters and numbers (which nobody remembers). Rather, you could use a simple sentence as your password which is easy to remember and it would be much more secure because it has more characters in it.

  4. DON’T trust any password checking site with any current passwords, talking about fishing for passwords, use expired or similar passwords, like I did (~3000 Centuries).

  5. Re: “I am accessing Facebook” or “I am accessing YouTube!”…
    Once you crack one password and figure out the substitution to make, it’s quite easy to crack passwords for other sites, no?
    If you use this tip, it should be obfuscated enough to become non-obvious to everyone else.

    1. Hi, Guillaume. Yes, you are correct in saying that once you crack one password and figure out the substitution to make, it would be quite easy to crack passwords for other sites. However, the whole idea behind creating a long password such as “I am accessing Facebook!” is so that it never gets cracked. If you had a password such as “F@c3b00k!” or “Y0uTub3!,” it would be way easier to crack than having one that says “I am accessing Facebook!” Even better would be to have a long, random sentence as a password.

  6. I’m laughing because the password I just use would take like 4000000 centuries, according to the passfault website, for a $500,000 government computer to hack it.

  7. People should be wary of sites which ask for your password, *especially* if they’re asking you to transmit that to them, and *even more so* if that site is not running over HTTPS.

    For instance, one of the sites this article suggests (passfault) is not running over HTTPS (it’s also apparently a fork of an OWASP project?).

    1. Hey Peter, good catch. I didn’t realize Passfault wasn’t running over HTTPS, and I don’t know the whole story of how it’s related to an OWASP project. Appreciate the comment.

  8. Does the strength of passwords increase when you use words that arent even in the English language. Is a password that is entirely in spanish with words that are only native to a specific country harder to crack?

    1. That’s a good question, Konch. I suppose it depends on what the people trying to crack the password are using for their attacks, whether it be a dictionary looking for English words, Spanish words, or whatever. It’s usually good practice to put some letters/characters in there that don’t spell out a word to help throw off attacks.

  9. Thank you soooo much for sharing this information! Between your article and Passfault, i changed a lot of my passwords, including the master password for LastPass. It is now good for a 15 digit number worth of centuries!

    All my information is much safer thanks to your article.

    1. Hi there! Thanks for the comment. I’m happy to hear you were able to change your password and make it much more secure. Having a very secure password for LastPass is crucial!

  10. Another thing to add.

    Use current goals you have as your passphrase. That way you will have a better motivation, plus when your goals change, so do your passwords.

    Ex. “G0 to The Gym! Get Buf7”

    1. This is a fantastic piece of advice. In fact, I had a friend of mine tell me a few months ago that they do exactly this. Their password is the goal they want to work on each year, and they change their password as their goal changes. Easy to remember, and very secure!

  11. An interesting write up. I use 1Password myself to generate the passwords for me, makes it a lot easier to manage multiple passwords across many different accounts.

    It’s surprising just how many people believe a combination of a few random letters is secure, when in reality as shown above a string of easily rememberable words is a lot harder to crack.

    1. I haven’t used 1Password before, but definitely have heard of it. I may look into it sometime. But yes, I agree. Everyone believes that a random combination of a few letters/numbers/symbols is secure when really brute force attacks can crack those passwords in a very short time. A long string/sentence is much better!

Leave a Reply

Your email address will not be published. Required fields are marked *