Think Password Strength Rather Than Password Length

Some people believe that password strength is dependent on password length, and the longer a password is, the harder it is for bad actors to guess or crack using brute force algorithms. While this may be true for complex, machine-generated passwords, it is not true in all cases. Indeed, some longer passwords can be easier to crack than passwords half their length.

Although password length is a contributory factor to password strength, it is only one of three factors – the others being the number of character sets used to create the password, and the randomness of the characters used in the password. Therefore, while some sources advocate using the longest possible password, there are other considerations to take into account.

The Number of Character Sets is Important

The number of character sets used to create a password is usually the most important factor in determining password strength. This is because the more characters there are to choose from, the harder a password is to crack. There are four character sets:

  • Numerical characters – 123456 etc.
  • Lower case characters – abcdef etc.
  • Upper case characters – ABCDEF etc.
  • Special characters – $%&/?+ etc.

When a password consists solely of numerical characters, there are ten possible options for each character (0-9). This means that if a password is six numerical characters in length – for example, if you use your date of birth as a password – there are one million possible combinations (10 x 10 x 10 x 10 x 10 x 10).

However, a six character password consisting of numerical characters and lower case characters has thirty-six options for each character (0-9 plus a-z). Rather than there being one million possible combinations, there are 2,176,782,336 possible combinations for a six character password – making the password considerably harder to crack.

If you include upper case characters in your password, there are 56,800,235,584 possible combinations in a six character password (626); and, if you use all four character sets with the typically allowed twenty-four special characters, there are 404,567,235,136 possible combinations for a six character password (866).

As it is possible to see, increasing the number of character sets from one set to four sets increases the complexity of a six character password by a factor in excess of 400,000 (404,567,235,136 / 1,000,000). Naturally, the longer the password is, the more the complexity increases – subject to the randomness factor discussed below.

One final point relating to character sets is that some systems and devices now allow you to use emojis in passwords. There are currently 3,353 emojis in the emoji character set; and if you were to include emojis in the creation of a six character password, the number of possible combinations would increase to 1,654,219,191,218,281,803,361 (3,4396).

There´s (Password) Strength in Randomness

The randomness of characters used in a password is also an important factor in determining password strength. Commonly-used dictionary words, names, and repeated or sequential characters generally tend to weaken passwords and make them easier to crack. For example, using the Bitwarden Password Strength Testing Tool, we find:

  • The password “Raiders12345” can be cracked by a brute force algorithm in five seconds.

However, if you change the order of numbers so they are not sequential:

  • The password “Raiders15234” can be cracked by a brute force algorithm in nine minutes.

Similarly, commonly-used passphrases including male and female names, and words such as “secret”, “qwerty”, and (for some reason) “cheese” tend to make weak login credentials. For example, the password “georgewashingtoncheese” could be cracked within three hours; whereas it would take more than a day to crack the much shorter – but just as easy to remember – password “GvvÇhee5e”

A further reason why password strength matters more than password length is that some very long passwords appear in password dumps. One frequently seen password is 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/, which, although thirty-four characters in length, is commonly used because it is easy to remember. (You will work out why if you look at a qwerty keyboard).

How to Check Your Password Strength

There are some very good articles explaining how to create a strong password, and some very helpful tools – such as Bitwarden´s Password Strength Testing Tool – to test the strength of a password once you have created it – or to check the strength of existing passwords. However, because the risk still exists of passwords being stolen in a data breach or exposed in a phishing attack it is important to use a unique password for each online account.

Remembering long random passwords consisting of multiple character sets (and possibly emojis) is extremely difficult. Therefore, it is recommended to use a password manager such as Bitwarden that will store your passwords securely and auto-fill your credentials when you log into an online account. Bitwarden can also help prevent you becoming a victim of a phishing attack due to the way in which website URLs are saved. You can find out more by visiting today.

Author: NetSec Editor