Techlicious: How Long Should My Password Be?

how long should my password be?

By Suzanne Kantra for Techlicious

How Long Should My Password Be?

The best way to lock something up digitally—whether it’s to keep out hackers or your kids—is to use a different, strong password for every site and situation. So when break-ins occur, like they did on LinkedIn and eHarmony in June, only information you shared with one site is in jeopardy. What constitutes a strong password, though, may not be what you think.

The usual definition of a strong password is one that has at least 8 characters (the longer the better), with a mixture of upper and lower-case letters, numbers and, if the site or service allows, special characters, such as “!,” “#” and “?.”

It turns out the biggest factor in determining the strength of your password is its length, according to a study by Carnegie Mellon. Numbers, capitalization and special characters are all bonuses, but a short password that uses all of these tricks will still be much easier to crack than a long password with real words.

So how strong are your passwords?

This excerpt appears with permission from Techlicious.

218 total views, 1 views today

(Visited 83 times, 1 visits today)

11 thoughts on “Techlicious: How Long Should My Password Be?

  1. I have found a utility that takes the pain out of logging on to different websites (same password or different for each). The program is called Roboform. It has a portable version which can be put on a thumbdrive. You use one password to gain access to all of your sites listed in the program. Once you have entered the master password, choose the site and it will use the URL to navigate to the size, enter username and password. The portable version does not put anything on the computer being used. This also helps with keyloggers since you aren’t doing any keystrokes at a web site.

    • @Tom Van Dam: Problem is you have to carry your thumbdrive with you everywhere. God forbid you forget to take it. And all for the low, low cost of $40.
      Also very few keyloggers track just keystrokes. All you’d need is one that can take screen shots.

  2. The real problem with a different password for each site is remembering them. If you can’t you need to write them down which sort of defeats some of the purpose. The other problem is that some of the sites make it extremely difficult to reset which is good I guess? However I have been locked out of several of my sites recently because I got one digit wrong or used capital instead of lower case. It took me 5 days to reactivate my Apple account when I used a capital incorrectly as they reckoned my birthdate was wrong when I tried to reset it. I think I take the punt on a password I can remember and hope the hackers don’t want me. Peter

  3. Adding in other advice I have read:
    Use a different long password on every site.
    Pick PW that are easy to remember and hard to guess.
    Change all passwords every month.
    Don’t write them down anywhere.
    How does anyone really do all this?
    Can you really trust a PW manager?

    • @Ken L: I use a password formula that is long enough to make it improbably that anyone would try to crack it. (It’s not like I’m worth enough for a skilled hacker to bother wasting time with.)
      It allows it to be different on every site and I can change it as well. It also has a pattern that would make it diffucult for anyone to figure out if they saw only one of them.

      I don’t bother changing it, because I figure that’s only good if someone has hacked the site and they are spending a lot of CPU time on that one password. Which would only get them in that one site.
      They would need to hack each site to get each password file and crack those as well.
      I don’t think anyone’s that interested in me (or anyone at all) to do all that. Honestly it’d probably be easier to just go over to their house and directly access their computer.

  4. Problem with long passwords is that so many sites just don’t allow them. Maybe it doesn’t matter with most, but just as an example walmart has a limit of 6-11 characters. The smallest maximum I’ve seen so far is 10!
    A potential future problem with long phrases is that if it becomes common, then they too will be easy to crack as they are made up of words and most people will choose simple words that are possible all lowercase as well.
    IJustSawARedElephantOverThere
    is 29 characters long. Traditionally hard to crack, but if you crack it via words, then it doesn’t take as long. It becomes just ‘ijsareot’ to a new type of cracking method. Try all types of common simple words and it might be even faster to crack.

    It might be a bad idea to tell average people that this is more secure as they will find a way to make it less secure like they always do.

    As the example they use is “treadmillsaresofun1”. All hackers know about the numbers at the end, so that won’t be a bother. So you have “tmasf1”
    I consider this to be a 5 character long password cracked using a modern variation of the dictionary attack.
    This is like when you tell people to use symbols to make a password. Like “P@$sW0rD”.
    This implies hackers are morons and don’t know this simple trick.

    Since remember 50 passwords will always be impossible, all of these articles always seem to end with suggesting to use a password manager. So why bother with any method at all if you’re just going to use that anyway.

  5. Well, if they get your PW by hacking a site, none of the above applies.

    Use something that you can remember and hope they don’t get to a site you use. Also, lock your credit reports.

  6. Assuming one is using random characters, let's see what effect more character variety versus longer character can have on its strength:

    Using an 8-charcter long password using a random mix of A-Z, a-z and 20 special characters (26+26+20 = 72 possibilities) = 72 ^ 8 = 7 x 10^14 (700 billion possibilities).

    Using an 11-charcter long password using a random mix of just A-Z (capital letters) = 26 ^ 16 = 43 million trillion possibilities. So adding just 8 more characters to your most simplistic password will decrease its hacking chances by more than 60 million times. Beware, though that using your loved ones' names or common English phrases or quotes will greatly jeopardize all your efforts.

  7. Suzanne is absolutely right. A couple of years ago, I was trying to troubleshoot a Windows install that I had previously done for a relative, but had subsequently forgotten the login password. To recover the password, I downloaded a program called OPHcrack. You install it on a CD, then boot from the CD, and it tries to read all the passwords on the C drive. Well, it read every password that was eight characters or less PAINFULLY quickly. As in five minutes or less. My longer passwords did not get fully read, but it did read the first few characters. So the moral of the story is make your important passwords longer, like 12-13 characters.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.