Password length: go longer?

Time marches on, computing power grows stronger, hackers get cleverer. Every now and again we need to review what we once thought was “safe enough”. Today, the time has come to review what ought to be considered a safe password length.

Pragmatic security and powerful bots

This blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than average.

What does that mean for password length? Consider this: computing time is so cheap today that it’s not inconceivable that every one of our email accounts has a bot trying to access it about once per second, every day, 365 days per year.

Still feel safe with the password you’re using right now? Personally, I’m starting to feel queezy, but let’s look at the problem carefully.

Is eight still enough?

I used to recommend an eight digit password. Is that still enough? The Microsoft Password Checker, a tool I’ve recommended before, does not seem to think so. If you type, for example, “t8Uh10xI” into the checker, it tells you that you’ve made a weak password. Is that the case?

To answer that, suppose you found one of those bots that is, in all likelihood, pounding at the gates to your email account. Feeling generous, you give the bot a bit of information. “Look,” you say, “my password is eight digits, so don’t bother guessing passwords of any other length. And I use numbers, uppercase characters, and lowercase characters. I don’t use any special characters.”

Now, how scared should you be?

Well, you’ve made the bots job a bit easier, but let’s take a look at the math. The key statistic is the number of possible permutations of passwords you could have made using those parameters. To find out how many permutations there are, and therefore how many different passwords the bot would have to try, we need to compute the following:

Permutations = (26+26+10)^8

That is, there are 62 ways to pick the first digit of your password (26 uppercase letters, 26 lowercase letters, and 10 numerical digits), 62 ways to pick the second, 62 to pick the third, and so on — eight times.

The solution is that there are 218,340,105,584,896 possible eight character permutations. That’s 218.3 trillion. Supposing that a bot can try one password per second, it would be able to try 31,536,000 in a year. In just under 7 million years, it could try all the possible permutations.

So the answer has to be “yes, eight is still enough”.

On the other hand, if you’re using a software tool like PasswordSafe, the cost of upgrading your passwords to be a bit longer is so low that it’s difficult to think of a reason not to do so. Personally, I’ve begun to use 15 to 30 digit passwords for some applications because it increases my safety without increasing my costs appreciably. But I still feel secure knowing that the master password that unlocks my PasswordSafe database is less than ten characters long. If I lose my PasswordSafe database on the subway again (yes, this has happened once already), I won’t worry.

Read more about passwords


  1. Comment by dearjym — 2 February 2012 @ 11:35 pm

    8 is NOT enough. And you should know that several 100 thousand possibilities per second. YES PER SECOND. 11-14 digits is a minimum. Digits, capital letters, and special chrs are not as necessary as password length. There’s no point in having a password you can’t remember. Once your password reached 14 digits, it really doesn’t matter what you use. For ex. xraypleasetaco (xray + please + taco). It’s just 3 random words, but gives you a 14 digit password. It is infinitely stronger than j&S@!.aGHq% which is 11 digits. Every digit you add to a password increases it’s possibilities by an exponent of 2- IOW, it doubles. And furthermore, typing in 3 words is easy to remember, and fast to enter. If you wanted to add more complexity, the sure, add other chrs, but again, we are looking for something easy to remember, but hard to guess. If the first four letters of your password is ‘xray’ it would remain unknown to anyone trying to crack it, even if they got the first 4 digits right, they’d never know until they actually guessed the entire password. Don’t be afraid of real world words, dictionary words. As long as you are using at least 3-4 RANDOM words, it’s secure. We are trained to create these crazy passwords that are impossible to remember, yet their length is so short (4-8 digits) that it’s crackable. Instead of hard to remember and easy to crack…Go for easy to remember and hard to crack.

  2. Comment by dearjym — 2 February 2012 @ 11:37 pm

    Sorry English is not my first language. I meant to say, several 100,000 possibilities can be tried per second.

  3. Comment by Ian Saxon — 4 February 2012 @ 5:08 am

    Good comment. I think I’ll address it in a post.

  4. Pingback by Password length: are you sure 8 is enough? | Defending The Kingdom: Security and Privacy in Your Digital Life — 4 February 2012 @ 5:59 am

    […] (typeof(addthis_share) == "undefined"){ addthis_share = [];}Commenter dearjym notes that, in some instances, crooks may be trying to crack your passwords at a rate of hundreds […]

  5. Comment by Bob — 17 April 2012 @ 5:21 pm

    I don’t agree that “xraypleasetaco” is stronger than “j&S@!.aGHq%”
    A dictionary attack would crack the “xraypleasetaco” password before a brute force attack would solve the 11 random characters.

RSS feed for comments on this post. TrackBack URI

Leave a comment