This post is going to include some math… I know, I know… your eyes are already glazing over, but hear me out. This information is important and will probably be some of the best advice you read regarding information security.
Everyone who has ever used a computer has most certainly had to remember a password at some point. Also, anyone who has ever had to remember a password has also felt the struggle of managing their ever-growing list. So many rules to follow. So many different services to keep track of. Did I use a digit at the end of that password? Did I spell out the word “one”? Or maybe I used an exclamation mark?
What if I told you that a password shorter than 8 characters is as good as having no password at all? What if I told you, for a 9 digit password using a 10 character set (0123456789), an average computer can brute force that password in just 14 minutes. A botnet can crack the same password in less than 1 second. 0.00085 seconds to be exact.
How about a password using letters? If someone uses all lowercase letters, such as in the password “vacation”, then the character set is 26. To break an 8 character password, it will take an average computer 2 days to brute force a password. A little longer but still a short amount of time. On a supercomputer or botnet, this will take 1.8 seconds.
Lastly, if you include symbols, letters, and numbers for an 8 character password such as “Car456!!”, a botnet or supercomputer could crack the password in 4 hours.
Now, increase the character limit from 8 to 10, and we have a totally different scenario. Using the same password syntax requirements of symbols, letters, numbers, and case sensitivity but increasing the characters from 8 to 10, that same botnet or supercomputer would need 3 years to crack your password. Just by adding two characters to your password, you drastically affect the time needed to break into your account.
Moral of the story is, out of all requirements for passwords, the length is most critical. Using passphrases over complex passwords is much more important. Many services are leaning towards passphrases as the length of “passwords” are now becoming much more important. Passphrases are easier to remember, which in turn is much more secure. That may sound counterintuitive, but a password that is easier to remember is less likely to be written down on a sticky note underneath your keyboard.
Passphrases are a combination of words stringed together to create one longer secure key. Examples could be something like, “Herewegoagain45” or “ReadyornothereIcome66”. Passphrases are much easier to remember as compared to “[email protected]” or “R3aDy0Rn0t”.
The key here is the length. Keep this in mind next time when asked for a password for a new account. You also may want to consider going back to your important accounts and changing your passwords to passphrases.