A strong password is a must-have in the cyber world today. Passwords are what keep unauthorized people out of our accounts (alongside multi-factor authentication) and help in keeping our data safe. But should you make a password that is really long, or very complex?
Length
Generally speaking, a longer password is more secure than a short but complex password. This is because longer passwords have more possibilities for which symbols are in which position.
For example, imagine a simple combination lock that has a three-digit number to unlock it, and these numbers can be 0 through 9. If you line up the correct three numbers, the lock opens, just like how entering in the correct password lets you access your account. With some patience, I could try every single possible combination- 000 through 999- until I find the combination that opens the lock. Mathematically speaking, this would be 10^3 combinations, since we have 10 possible numbers and 3 positions for each number. That’s 1,000 combinations! If we increase the number of numbers to 4, that will give us 10^4, or 10,000, combinations. This trend continues; with 5 spaces, we get 100,000 combinations, 6 gives us 1,000,000 combinations, 7 gives us a whopping 10,000,000 combinations, and so on. That would take a long time for someone to try and guess if they went through each combination.
| Number of Positions (10 Characters) | Complexity |
| 3 | 1,000 |
| 4 | 10,000 |
| 5 | 100,000 |
| 6 | 1,000,000 |
| 7 | 10,000,000 |
| 8 | 100,000,000 |
Currently, the National Institute of Standards and Technology recommends a password of at least 8 symbols long, but the longer a password is, the better. Length = strength!
Complexity
Just because length is, in theory, stronger than complexity, does not mean that complexity is useless.
Let’s say, instead of using numbers, the combination lock with three positions uses the lowercase letters a through z. Now, I could again try every possible combination of numbers- aaa through zzz- until I open the lock. This would take me a bit longer than just the numerical lock, but it is still doable with enough dedication. Now we have 26 possible options per the 3 positions, which gives us 26^3 combinations, or 17,576 different options.
If we included both numbers and lowercase letters, that would be 36^3 combinations, or 46,656 possible potions. Adding in both uppercase letters and the !,@,#,$,%,^,&,*,(, and ) gives us 72 options. With three positions that, will give us a whopping 373,248 combinations. While this provides more options than a 3- or 4-digit combination with just the numbers 0 through 9, it is significantly less than a 6-digit password that only contains numbers. That difference becomes even bigger when the length of the combination becomes 7 or even 8 numbers long!
| Number of Possible Characters (3 Positions) | Complexity |
| 10 | 1,000 |
| 26 | 17,576 |
| 36 | 46,656 |
| 62 | 238,328 |
| 72 | 373,248 |
Both
Finally, imagine if we combined both length and complexity, allowing numbers, uppercase/capital letters, lowercase letters, and symbols for the combination lock. That would be 72 total possible symbols per position, and if we have 7 positions, that gives us 72^7, or 10,030,613,000,000 (ten trillion, thirty billion, six hundred thirteen million), possible combinations!
So, when you are creating a new password or updating an old one, remember to try and make it as long as possible while also keeping it complex. This will help to keep you and your data safe online.
References and Further Reading
Grassi, Paul A, et al. “Digital Identity Guidelines: Authentication and lifecycle management.” NIST Special Publication 800-63B, vol. 800, no. 63, 2017. B, https://doi.org/10.6028/nist.sp.800-63b.
The H.A.C.K.E.R. Project 
Leave a comment