User authentication is the cornerstone of security and the fact is, passwords are, without doubt, the most common mechanism used. You make use of them to access everything - from your computers or mobile devices to networks and your operating systems.
The most commonly used passwords are names and date of births. Now, most systems have a lengthy set of criteria to consider a password acceptable. Even so there are still a lot of weak passwords out there. But how do you know a good password?
The basics of good security etiquette include no visible or easily guessable passwords, using a password manager, and making use of two-factor authentication. Another important measure to keep in mind is to not use the same password for all your accounts.
While all this is good, there is a never-ending question that continually gets asked. Is it length or complexity that determines the strength of the password? Most sites have a minimum and maximum length limits for passwords. On the other hand, complexity is determined by the combination of uppercase, lowercase, numeric characters, and special characters.
There are compelling arguments regarding the advantages and disadvantages to both. With security being compromised more so than ever, there is a need to get to the bottom of this and figure out which of these will help you make the best passwords! But which is the better approach?
Arguments for Password Length
Many people argue that password length is decidedly more important than complexity. Let us take a look at their reasoning.
- It is undeniably easy to increase the combinations of a password when increasing the power rather than the base of an exponential function. This mathematical argument, put forward by NIST Digital Identity Guidelines for the United States federal government believes that longer passwords are definitely safer than complex ones.
- The logic is that if you have a password with 8 characters, you have a possibility of 52 letters per character. This is with the assumption that they are all characters, upper and lower case. This means 52^8 or 53,459,728,531,456 possible combinations.
- If you add just two more characters, it gives you 52^10 possibilities.
- Increasing the complexity of the 8 character password by adding numbers and special characters to the list of possible characters gives you 72^8 possibilities.
This means adding just 2 characters would be almost 1000 times more effective at increasing the security than adding numbers and special characters. Making a 12 character password with only letters can be mapped to being almost one million times better than an eight-character password with numbers and special characters.
- If they are formed right, they are easier to remember. This means you do not have to create a highly complex password you won’t remember, and then write it on post-it notes. You can create a meaningful password and commit it to memory instead of risking information just because you needed to add meaningless characters.
- Most people implementing complex characters implement it either towards the beginning or at the end of their passwords. Same goes for uppercase characters. This predictability in what people assume as ‘complexity’ makes it very easy for people to hack into systems.
- While short passwords are quite easy to crack, longer ones might hold off attackers to the point where they move on. If you are wondering what the required length is, Georgia Tech Research Institute conducted a study in 2010 that explained in detail how a password with 12 characters could meet the minimum character requirement in order to defeat a simple code-breaking software.
This was reported by Joshua Davis, a research scientist. In fact, senior researcher Richard Boyd had said “Eight-character passwords are insufficient now… and if you restrict your characters to only alphabetic letters, it can be cracked in minutes.”
- The difficulty to crack passwords happens due to the randomness of the password. Length increases the entropy, or how random it is. This makes it difficult to crack.
These are the most common reasons many people consider the length of a password to be a determining factor in how secure it is. These are valid points because longer passwords are undoubtedly more secure. In addition to combinations, it also gives you the freedom to play around with more words. This lets you create a meaningful password that you can easily remember.
In Favor of Complexity
Even though there are a lot of benefits to a long password, there is a group of security experts who claim that any password is only as secure as its complexity. In fact, many websites make it a point to accept passwords only if they have at least one number and one special character.
This requirement is also followed by software and tools that automatically generate passwords. All this forces one to think there is probably some truth behind this requirement.
In order to delve deep into the benefits of added complexity, let us take a look at some of the main arguments for complexity over length.
- The password length will not matter if the hackers have already phished information that contributes to your password. This could have been done via simple mail, by leading to a phishing website or any other means.
If this password were made complex, it would increase the number of combinations the hackers had to try, making it difficult. Eventually, they would have given up and moved on. This makes complexity a better way of securing your account in comparison to length.
- Most websites have a cap on the maximum number of characters they allow on their passwords. The only way to make these passwords more secure in spite of it being the maximum number of characters is by increasing the number of characters possible in each position.
While 52 characters are possible using uppercase and lowercase alphabets, 72 possibilities are available if you use numbers and special characters. This gives you significantly more possibilities for each position.
This means more combinations to go through before someone can get into your account and compromise your information. This is why many prefer complexity rather than length to secure passwords.
- The factor that determines how difficult it is to crack a password is the randomness of it. Adding special characters and numbers makes it difficult for the hacker to guess the password, even with common ones like names and date of birth.
So is complexity the winner? Well, the above reasons are quite strong. They definitely do convince you that complexity is an important factor when it comes to determining data security. By directly affecting the strength of your password, complexity has to be taken seriously.
People need to understand the importance of the combination of numbers, letters and random sequences. A bigger set of characters makes it 10x more difficult for anyone to hack your systems and attempt to go through your data.
So Which One....
When it comes to your data, the truth is you cannot be too careful. There are compelling arguments for both length and complexity. But the better option would be to go with a balanced mix of the two.
The fact is, the more the length, the more secure the password is going to be. It is proven that a password with twelve characters and only uppercase and lowercase letters is more secure than an eight-character password with letters, numbers, and special characters.
But this is only true when the password in question is 12 to 15 characters long. Increasing the number of characters also adds to the security of your passwords in the future.
Making passwords complex with numbers and special characters takeaway classic dictionary attacks that only focus on meaningful words and what they can combine to be. Increasing the length after you do that plays a crucial role in firmly establishing how strong the password is.
The best solution is to use a password with secure complexity. This takes away the possibility of brute-force attacks, dictionary attacks, etc.
How Can You Make a Secure Password?
Make sure your password has no correlation to yourself
While you should aim for long and complex passwords, make sure that it is not something obvious. In fact, CEO of Splash Data, Morgan Slain, says “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns, they will put you in just as much risk of having your identity stolen by hackers.”
This came from the password management company that compiles a list of the worst passwords of the year, so they would know. Make sure your password is made of words that have no correlation with each other, to yourself, or are made of random characters.
Do Not Put All Your Special Characters in One Area
Due to the mandatory requirement by many sites, most people are forced to add at least one uppercase character, one number, and one special character. The general behavior is to put the capital letters at the beginning and digits and symbols at the end of your password, according to Carnegie Mellon computer professor and FTC Chief Technologist Lorrie Faith Cranor.
Since the entire process of security depends on making passwords unpredictable, this might make it prone to getting hacked. Backloading, or frontloading for that matter, can make it easier for anyone trying to find an easy way in.
Do Not Force Employees To Change Passwords Too Often
If you force your employees to change their passwords too often, they are more likely to start using more careless passwords. These include words like “Password” or “Password1.” These passwords are not safe and secure, this would defeat the whole purpose of the security of their passwords.
Make sure you have a reasonable time period or a good reason to ask employees to change passwords, because asking your employees to change their passwords too frequently, will defeat the whole purpose of actually asking them to change their password.
Do Not Use the Same Password for more than one Account
This is another very common mistake. Let us assume you have the perfect password. Let us assume it is secure, lengthy, and complex. Using the same password for multiple sites makes it very easy for a hacker to exploit this. If you use the same “good” password for more than one of your accounts, then you are not only risking just one account. You’re risking all of them, that could include your bank account, social medias, and etc..
Your passwords are only as safe as the sites they are for. If the site is hacked or you are targeted with a phishing scam your password could become compromised, giving the attacker access to any site that uses that same password.
Make it something you can remember easily
While passwords must be secure, meet length and complexity requirements, and not be something that is easily known about you, the truth is that if you cannot remember your password it's not doing you much good. Furthermore if you are always struggling to remember your password, or worse yet having to reset it, eventually frustration will set in and you will opt for something less complex and easier to remember.
One of the best ways to keep passwords complex, while also keeping them memorable is to use a sentence or phrase. Creating a sentence or phrase grammatically correct, or purposely incorrect for that matter, can allow us to meet all of the password best practices we have discussed while keeping it simple enough to remember.
When it comes to the length vs. complexity battle, length hands down gives you the most security of the two. It is however always wise to mix it up so that you can get the best of both worlds. After all, it is your data at stake, and there is no such thing as too careful!