“Password must be at least 85 characters long, contain a number, an uppercase letter, a fruit, three chemical elements and a hieroglyphic”
… not quite, but this is how it can sometimes feel when you’re caught off guard with an expiring password and need to think of a new one on the spot. It can seem that for no obvious reason, you’re required to meet these obscure conditions when setting a new password, but rest assured, there is good reason for this! Password length and complexity play a crucial part in increasing the time taken for a password to be cracked. Let’s take a look at the numbers…
I will assume that a standard processor tests 10 million keys per second, and that each character will represent 1 key. Let’s only consider the lower case alphabet and see how password length affects time taken to crack a password by 1 computer:
|Length (abc etc)||Number of Possibilities||Time|
|1||26||2.6 × 10⁻⁶ seconds|
|2||26² = 676||6.76 × 10⁻⁵ seconds|
|3||26³ = 17, 576||1.76 × 10⁻³ seconds|
|4||26⁴ = 456, 976||0.0457 seconds|
|5||26⁵ = 12 million||1.19 seconds|
|6||26⁶ = 309 million||30.9 seconds|
|7||26⁷ = 8 billion||13.4 minutes|
|8||26⁸ = 210 billion||5.8 hours|
As the length of the password increases, the number of possibilities increases by a factor of 26 every time a letter is added (because there are 26 letters to choose from). So, when it comes to passwords, size does matter! Changing from a 6 character password to an 8 character one takes the time to crack from just over 30 seconds to 5 hrs 48 mins.
So 5 hours is definitely better than 30 seconds but still, would you be satisfied with knowing that should someone wish to invest that time, they could decipher your password and access your data? If you’re answering ‘No’ to that then you should definitely be considering using more than just lower case letters…
Let’s look at incorporating upper case letters into our password, then numbers, then ASCII special characters (of which there are 26, 10, 33 choices respectively).
|Upper Case Letters|
|Length (AaBb…)||Number of Possibilities||Time|
|2||52² = 2,704||2.7 × 10⁻⁴ seconds|
|3||52³ = 140, 608||0.014 seconds|
|4||52⁴ = 7 million||0.73 seconds|
|5||52⁵ = 380 million||38 seconds|
|6||52⁶ = 20 billion||33 minutes|
|7||52⁷ = 1 trillion||1.2 days|
|8||52⁸ = 53 trillion||62 days|
|Length (Aa1Bb2…)||Number of Possibilities||Time|
|2||62² = 3,844||3.8 × 10⁻⁴ seconds|
|3||62³ = 238,328||0.024 seconds|
|4||62⁴ = 15 million||1.5 seconds|
|5||62⁵ = 916 million||1.5 minutes|
|6||62⁶ = 57 billion||1.6 hours|
|7||62⁷ = 3.5 trillion||4 days|
|8||62⁸ = 218 trillion||253 days|
|Length (Aa1@Bb2!…)||Number of Possibilities||Time|
|2||95² = 9,025||9.1 X 10⁻⁴ seconds|
|3||95³ = 857,375||0.085 seconds|
|4||95⁴ = 81 million||8.15 seconds|
|5||95⁵ = 8 billion||12 minutes|
|6||95⁶ = 735 billion||20.4 hours|
|7||95⁷ = 70 trillion||81 days|
|8||95⁸ = 6.5 quadrillion||21 years|
21 years… that’s more like it!
As you can see, both length and complexity contribute hugely to the security of your password.
A long and complex password does however have its drawbacks; they can be difficult to memorise which tends to have three common consequences:
- Many are likely to be re-used (which is not advised)
- They’re often stored insecurely. E.g. Handwritten on paper and kept close to a device
- They frequently feature predictable character substitutes. E.g Replacing an ‘S’ with a ‘5’. P@55w0rd is not a strong password (for numerous reasons)!
There are various facets to consider when choosing your password, and complexity is just one of them. Government research has found that memorability is one of the most important factors for choosing an effective password. With this is mind, they recommend using the “Three Random Words” strategy. This involves concatenating three words, that are memorable but should not be easy to guess, to form your password. Numbers and special characters can still be incorporated if you like. For more on this see www.cyberaware.gov.uk/passwords
There are no hard and fast rules when it comes to password security but in today’s online world, where just about everything we do is password protected, it’s imperative that we don’t give cyber criminals easy opportunities. Make it difficult for them, choose strong and secure passwords and reduce the risk of becoming a victim of a successful password hack.
If you’d like to know more about password security, here are some places to look…
Cyber Aware – This is a government website aimed at educating people about cyber security, including passwords.
National Cyber Security Centre – The government cyber security authority, part of GCHQ. Their website offers advice and guidance on cyber security.
Get Safe Online – An independent organisation offering advice and guidance on everything security.
If there’s still something you’d like to know, just ask us at firstname.lastname@example.org
Co-authored by Rebecca Brown and Marie Park