How Long Should a Password Be?

The Best of Ask Leo!

For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.

Randomness remains important, but as it turns out, size matters more. Much more.

Longer is better. Traditional eight-character passwords are now easily compromised. A password should be 12 characters at a minimum — ideally 16 or more. Using a multi-word passphrase makes even longer passwords possible and easy to remember.

Large-scale account hacks

When you hear about large numbers of accounts being stolen by a hack at some service provider, you’re naturally concerned the hacker might now have access to your account names and passwords. If the service stored your actual passwords, that could indeed be the case. (As I’ve said before, if a service is storing your actual passwords1, they don’t understand security or have made some horrifically bad decisions.)

In fact, most services store an encrypted (technically, a “hashed”) form of your password. For example, if my password were “password” (and that’s a very poor password, of course), then a service might store “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”, the hash value that corresponds to that password.2

What that means is that hackers do not get a list of usernames and passwords. What they get is a list of usernames and password hashes.

And what’s great about hashes is that you can calculate a hash from a password, but you cannot do the reverse: you cannot calculate the password from the hash.

As a result, one would think that by being hashed it’d be pretty unhackable, right?

Sadly, not so much.

Dictionary attacks

The most common type of password attack is simply a high-speed guessing game. This doesn’t work when pounding on an actual log-in page; they’re slow, and will quickly deny further access after too many failures. But this technique works wonderfully if the hacker has the entire database of account and password hashes sitting on his computer.

These attacks start with an exhaustive list of possible words and known common passwords (including names, profanities, acronyms, and more) and perhaps a few rules to try interesting and common ways that people obfuscate words. They calculate the hash of each guess, and if it matches what was found in the database of account information they stole, they’ve figured out the password for that account.

As we’ll see in a moment, it’s easy for hackers to make an amazing number of guesses in a short amount of time.

That’s why you’re not using a short password, or using common obfuscations, right?

That’s why a password created from a totally random combination of characters is best. It forces hackers to move on to a true brute force attack of every possible combination to gain access.

Brute force attacks

Computers are fast. In fact, the computer on your desk is so fast that its ability to do simple operations is measured in terms of billions of operations per second.

Creating a password hash is not a simple operation, on purpose. However, it’s still something that can be done very quickly on most machines today. Spread the work over a number of machines — perhaps a botnet — and the amount of processing power that can be thrown at password-cracking is amazing.

The net impact is, it’s now feasible to calculate the encrypted hash values for all possible eight-character passwords comprised of upper and lowercase alphabetic characters and digits.

Sixty-two possible characters (26 lower case, 26 upper case, 10 digits) in each of the eight positions gives us 221,919,451,578,0903, or over 221 trillion combinations.4

This seems like a lot, until you realize that an off-line attack (which is easily performed once you’ve stolen a database of usernames and encrypted passwords) can be completed in a few hours. (This assumes technology that can “guess” something like 10 billion passwords per second — which is quite possible.)

It doesn’t matter what your password is; if it’s eight characters and constructed using upper and lower case letters and numbers, the hackers now have it — even if it was well hashed by the service they stole it from.

Why 12 is better and 16 better still

As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be guessed in an offline brute-force attack in hours.

Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time in this case would be measured in centuries.

Sixteen takes the calculation off the chart. Today.

That’s why 16 is better than 12, and both are better than eight.

What about special characters?

I did leave out special characters.

Let’s say the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.

That takes us to 700 trillion possibilities for an eight character password.

Compared to sticking with the original 62 letters and numbers, adding only a single “normal” character makes a nine-character password significantly more secure.

That takes us to over 13 quadrillion possibilities.

Yes, adding and using special characters makes your password better, but significantly better yet is to add one more character.

So two. Or six.

Long passwords are good, pass-phrases are better

The difference is really a semantic one, but in general:

  • A password is a random string of characters.
  • A passphrase is a longer string of words.

Why passphrase? Because they’re easier to remember, so it’s easier to make long ones — and as we saw, password length is perhaps the single easiest way to increase the security of a password.

“BT6aKgcAN44VK4yw” is a very nice, secure 16-character password that’s difficult to remember. In fact, about the only way to use this is with password manager software that remembers it for you.

On the other hand, “Its fleece was white as you know nothing John Snow”, at 50 characters, is wonderfully long, secure, and most of all, memorable. Much like the now canonical example of “Correct Horse Battery Staple“, you might even have a difficult time forgetting it5.

The biggest problem with passphrases? Many services that use passwords don’t allow spaces or such lengthy passwords.

Shouldn’t services fix this and do better?

Absolutely, they should. And many do.

As I’ve stated above, passwords shouldn’t be kept in plain text anywhere by the service at all — yet some do.

There are techniques that make brute-force attacks significantly harder — and yet, many use techniques that are easier than the example above.

There are services that do a great job of keeping your information secure. There are also services that don’t. The problem is, you really can’t be certain which is which.

To be safe, you have to act like they’re all at risk.

The bottom line

The bottom line for staying safe is simply this:

  • Don’t trust that the service you’re using is handling passwords properly. While many do, it’s become painfully clear that many do not, and you won’t know which kind you’re dealing with until it’s too late.
  • Use longer passwords: 12 characters minimum, 16 if at all possible.
  • Use even longer passphrases where they’re supported, or where information is particularly sensitive.
  • Use a different password for each different site login you have. That way, a password compromised on one service won’t give hackers access to everything else.

Even the best eight-character passwords should no longer be considered secure. Twelve is “good enough for now”, but you really should consider moving to 16 for the long run.

Footnotes & References

1: If they can respond to an “I forgot my password” request with your actual, current password, then they have stored your password. This is bad. Best practice is to reset it to something new, either via a reset link or by emailing a new password to you exactly once, after which the service no longer has it.

2: For the technically curious, I’m using an un-salted sha256 as the hashing function here. That’s technically better than the commonly-used md5 or sha1.

3: OK, OK. Technically, the number is actually 221,919,451,578,090 + 3,579,345,993,194 + 57,731,386,986 + 931,151,402 + 15,018,570 + 242,234 + 3,844 + 62. Then we also add in the possibilities of seven-character passwords, six, five, four, and so on. I’m not doing the math. It’s around 225 trillion.

4: Many of the numbers and attack estimates here come from or are based on GRC.com’s excellent Password Haystack page. Included there are links to an excellent Security Now! podcast segment discussing password length and how length really does matter.

5: Particularly if you’re a Game of Thrones fan. 🙂 And yes, I know that John Snow is actually Jon Snow. That’s another level of handy yet easy-to-remember obfuscation.

For related links, videos, and comments visit How Long Should a Password Be? on Ask Leo!