When it comes to passwords, size really does matter.
Twenty w’s — wwwwwwwwwwwwwwwwwwww — does seem like a “simple” password, doesn’t it?
Might it be too simple? Could it really be stronger than, say, yjckD$3t77?
The answer, as clickbait headlines would say, will surprise you.
Become a Patron of Ask Leo! and go ad-free!
When it comes to passwords, longer is better. When faced with the choice of longer versus more complex, choose length. In order to be cracked, a password must be completely correct — there’s no movie-like incremental guessing. Keep your guard up, though, as cracking is only one way passwords can be compromised.
It’s simple: longer passwords are better. Length is the easiest way to make a password more secure.
When you’ve got a choice between making a password longer or keeping it the shorter but making it more complex, length wins. A password of 20 “w’s” would be much more secure than a 10-character password of random characters.
Twenty “w’s” is a lot easier to remember. On the other hand, somebody shoulder surfing might see what your password is, so you might want something not quite so simple.
But in general, for attacks where passwords are being cracked, a longer password always wins.
TVs and movies lie
If you watch police shows or spy thrillers carefully, you’ll often see that when cracking a password, the letters of the password will suddenly appear one at a time. It’s typically some sort of race against time for that last character to appear and the entire password to get cracked, so as to avoid the explosion or other serious consequence.
That is not how it works.
You have to get the entire password right at once. There is no way to discover a password character-by-character.
So, in the case of a 20-character password, they’d have to get all 20 correct at the same time. ANY error — even if just one character is wrong — doesn’t give the hacker any information about whether or not any of the other characters were correct. It’s all or nothing.
That’s why longer is better. The only way to crack it is by brute force. Trying all possible 8-character passwords can be done in a reasonable amount of time. All possible 20-character passwords? That would take centuries.
There’s more to compromise than cracking
Don’t drop your guard just because you have a 20-character password. There are plenty of ways having nothing to do with length with which the password could still be compromised.
- Malware such as a keylogger can capture a password of any length.
- A service that stores passwords improperly could expose your actual password.
- Hackers have lists of “popular” passwords and previously compromised passwords that they’ll try first.
This is why it’s important to maintain proper security, as well as using a unique password for each account you have.