Fork me on GitHub

Good Passwords: Size Matters!

Many places have password policies. And they often prescribe that your password MUST include things like:

  • UPPER case characters
  • lower case characters
  • digits
  • "special" characters

The problem is: That advice is wrong.

Or at least: the advice guides people towards difficult-to-remember passwords and it does not increase security.

The single most important indicator of password strength is the length.

Yes: you can improve things slightly by forcing a mix of UpPercAse ANd loWErCase characters and adding digits, "special characters" (the average person doesn't know what those are anyway), emoticons and hierogloyphs.

But there is a far easier way: longer passwords. And instead of passwords, call them passphrases. Basically: For passwords: Size matters.

Imagine an 8-character password, consisting entirely of lowercase characters from the English alphabet: That gives you \(26 ^ 8 = 208,827,064,576\) combinations.

OK - you may want to include a mix of upper and lower case combinations, which gives you \(52 ^ 8 = 53,459,728,531,456\) combinations - only 256 (\(2^8\)) times more. But you’re human, and trying to remember exactly which ones of the 8 characters are upper case is a struggle (Was it iLovemYjumPer, IlovemYjumPer or iLoVeMyjumPer ?) so you probably only do the first or last character in upper case.

Adding digits into the mix gives us \(62 ^ 8 = 218,340,105,584,896\) combinations - merely about 1000 times better than the original 8-character password. And this can be devilish difficult to remember. So (like most people) you’ll probably just add a digit (e.g. "1") at the end, thus defeating the whole point of it.

And that is how we end up with passwords like "Password1" ...

We need to stop thinking of them as passwords: and think of them as passphrases instead. Phrases are just as easy (or easier?) to remember than random words.

If you were to choose a reasonably-easy-to-remember phrase like "mypasswordsaredrunk" you have a nice 19-character password.

This is equally secure as a 15-character password consisting of a mix of upper case, lower case and digits:

  • \(62 ^ {15} = 768,909,704,948,766,668,552,634,368\) : "Mno2zasGi0vE9yN"
  • \(26 ^ {19} = 766,467,265,200,361,890,474,622,976\) : "mypasswordsaredrunk"

(OK: Not exactly the same, but within 1%)

So you can choose: Which is easier to remember? They are the same strength!

When they have the equivalent security, go for the one you do not need to write down…

Disclaimer: Please do not choose THAT password. Choose your own. Make your own life choices. Repeat after me: "We are all individuals. We are all individuals. We are all individuals".