How long should my password be?

A strong password doesn’t have to be 30 characters long. But if you’re using an eight-character password, you have a good chance of being hacked. This article will help you understand how long your password should be.

For decades, information security experts have tried to get
people to create stronger passwords by requiring a minimum length (usually
eight characters), plus at least one capital letter, one number, and one
special character (like @, #, or !). This strategy is now widely considered to
be a failure. Many people simply created an obvious variation of their previous
password. “Letmein1!” is as easy for a computer to crack as “letmein”, even
though it’s longer and more complex.

This goes to show that there are multiple elements that
factor into how strong your password is. Length is one of them. In this
article, we’ll explain some concepts you should consider when creating a
password, as well as some guidelines for how long your password should be.

Ways to crack a password

First, you should understand something about how hackers
steal passwords. Bad guys typically begin trying to crack a password by using a
dictionary attack. A dictionary attack works by drawing on a massive database
of dictionary words, real passwords exposed in previous data breaches, names,
as well as common combinations (such as last name + first name + date) and
substitutions (like “@” instead of “a”). To get an idea of what kind of data
hackers can glean from a password leak, check out this report.

If a dictionary attack fails, the hacker will have to use a
brute force attack. This type of attack is much slower because it means the
computer will go through every possible combination of characters, one by one. Some
can guess hundreds of billions of passwords per second.

Keep in mind, hackers generally are not trying to guess your
password at the login page of your online account. Instead, they will usually attempt
dictionary or brute force attacks on a database of hashed
stolen from a company’s servers. There are various ways companies
can hash passwords to bog down the process for hackers, which can help keep
your plaintext password secure. But it’s better to create a strong password
yourself rather than  place all your
trust in the cybersecurity
practices of a website

How to prevent brute force attack

There are two ways to make it more difficult for someone to
brute force your password: make your password longer (by using more characters),
and make it more complex (by using a greater variety of character types, like
numbers and capital letters). Note, however, that length is much more effective
than complexity at preventing a brute force attack.

Every additional character in a password increases the
length of time it would take a supercomputer to guess your password by an order
of magnitude, even if you only use lower-case letters. Adding complexity also
helps because it will broaden the set of characters the computer has to check,
but not by nearly as much.

There are online
that claim to tell you how long it would take a computer to
crack your password. These are not precise because of all the variables
involved, such as computing power and the hash used. But they can serve to
illustrate a key point about password length: a six-character random-generated
password using a mix of character types would take seconds to crack, whereas a
10-character password with only lower-case letters could take several years.

Why a long password isn’t always better

Brute force attacks are not very efficient and can be easily
thwarted by merely creating a longer password. That’s why dictionary attacks
are a more efficient way to crack passwords. Dictionary attacks take advantage
of human weaknesses, like predictability and poor memory. The need to remember passwords
leads users to choose simple passwords, which are also easy to guess.

With dictionary attacks, therefore, length can be a
misleading measure of password strength. For example, “F3rnand3zJ@nu@ry1983”
looks like it could be a very strong password because it contains lots of
numbers, capital letters, and special characters. But this password would
probably be cracked in a dictionary attack: It’s just a last name, a month, and
a year. The algorithm could easily look for predictable character substitutions
and capitals.

How long should your password be?

The length of your password primarily depends on whether
you’re using a password with random characters or one with a series of words.

If you want to create a strong password using a series of
words (a “passphrase”), most info
recommend using at least four words that aren’t very common. As more people
switch to passphrases, however, hackers will get better at cracking them.

If you’re using a password composed of random characters,
about 15 should put it out of reach of modern computing capabilities. However,
we don’t recommend using random-character passwords unless you’re using them
with a password manager, which will help you generate and store them securely.
That way you don’t have to remember them or write them down, and they will be

If you use a password manager, we recommend using a long
passphrase as your master password and generating a unique random password for
each account, relying on the default settings for length and complexity
(usually 20 characters, with a few numbers and special characters).

This article is part of a series we’re publishing on strong
passwords. Check back to our blog,
follow us on Twitter, or subscribe
to our subreddit to stay in
the loop on all our cybersecurity advice.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

The post How long should my password be? appeared first on ProtonMail Blog.

*** This is a Security Bloggers Network syndicated blog from ProtonMail Blog authored by Ben Wolford. Read the original post at: