Is password length more important than complexity? A guideline for password creation policy.

Orange County, CA - I just read a summary of research on secure passwords vs. weak ones that get hacked. If you are looking to create your own secret password or if you are a network administrator looking to enforce secure password policy then read on. These results are from a study on 10 million passwords that have been breached in recent years.

In summary, if you want a weak password, then use:

  • Words
  • Names
  • Verbs
  • Colors
  • Animals
  • Fruits
  • “Love” phrases
  • Superheroes
  • And days of the week
  • Leet speak, the act of using informal language or code in which standard letters are often replaced by numerals or special characters such as “n00b” or “gue55able”
  • Most importantly, don’t use patterns on your keyboard or phone dialer pad. Those are at the very top of the list of quickly decoded passwords.

Easily broken passwords that fit the above criteria were broken by password crackers in anywhere from 10 to 32 seconds, these are passwords like “s3ash311” (seashell) broken in 15.6 seconds, “Indiana” in 9.8 seconds and “123456” in 0 seconds. Password crackers can test up to 300,000 passwords per second. Conversely a password like “cba75c2d4 took four days and “ns8vfpobzmx098f4coj” would take centuries.

Image care of WordPress

Image care of WordPress

The strongest passwords avoid predictable patterns and any of the traits in the bullet list above. The current average password length is eight characters. To create a strong password you need to go longer. Here are my basic suggestions after reading the results of the password study.

Your password should be:

  • At least 10 characters long
  • Avoid patterns. Patterns would be any of the characteristics cited above
  • Don’t just add a number or two to the end of a predictable word or pattern, those are busted easily, too
  • Mix upper and lower case
  • Mix in numbers
  • Use special characters, for example &, #, $, ), @

When you follow these recommendations you will be in the top 1% of the most secure passwords. I can tell you after reading this study I am already making a change to how I select passwords.

If you wish to read more on this study and the issues around passwords than click here for Unmasked: What 10 million passwords reveal about the people who choose them. It is a fascinating report.