Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Are Longer Passwords Better, Even If They’re Simpler?

When it comes to passwords, size really does matter.

Password
(Image: canva.com)
A longer password of repeating characters is more secure than a short complicated password -- but there's more to security than cracking.
I’ve tried to move many of my passwords to passphrases or use just the first letters of words in a passphrase. Why could you not, for example, just use the letter “w” twenty times. Would this be better than a complicated password of ten letters, numbers and symbols, etc. I’m assuming the technique used to crack the password cannot tell when each character was correctly chosen. I’m sure though, that I’m oversimplifying this. 

Twenty w’s — wwwwwwwwwwwwwwwwwwww — does seem like a “simple” password, doesn’t it?

Might it be too simple? Could it really be stronger than, say, yjckD$3t77?

The answer, as clickbait headlines would say, will surprise you.

Become a Patron of Ask Leo! and go ad-free!

When it comes to passwords, longer is better. When faced with the choice of longer versus more complex, choose length. In order to be cracked, a password must be completely correct — there’s no movie-like incremental guessing. Keep your guard up, though, as cracking is only one way passwords can be compromised.

Size matters

It’s simple: longer passwords are better.Tweet this! Length is the easiest way to make a password more secure.

When you’ve got a choice between making a password longer or keeping it the shorter but making it more complex, length wins. A password of 20 “w’s” would be much more secure than a 10-character password of random characters.

Twenty “w’s” is a lot easier to remember. On the other hand, somebody shoulder surfing might see what your password is, so you might want something not quite so simple.

But in general, for attacks where passwords are being cracked, a longer password always wins.

TVs and movies lie

If you watch police shows or spy thrillers carefully, you’ll often see that when cracking a password, the letters of the password will suddenly appear one at a time. It’s typically some sort of race against time for that last character to appear and the entire password to get cracked, so as to avoid the explosion or other serious consequence.

That is not how it works.

You have to get the entire password right at once. There is no way to discover a password character-by-character.

So, in the case of a 20-character password, they’d have to get all 20 correct at the same time. ANY error — even if just one character is wrong — doesn’t give the hacker any information about whether or not any of the other characters were correct. It’s all or nothing.

That’s why longer is better. The only way to crack it is by brute force. Trying all possible 8-character passwords can be done in a reasonable amount of time. All possible 20-character passwords? That would take centuries.

There’s more to compromise than cracking

Don’t drop your guard just because you have a 20-character password. There are plenty of ways having nothing to do with length with which the password could still be compromised.

  • Malware such as a keylogger can capture a password of any length.
  • A service that stores passwords improperly could expose your actual password.
  • Hackers have lists of “popular” passwords and previously compromised passwords that they’ll try first.

This is why it’s important to maintain proper security, as well as using a unique password for each account you have.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

Podcast audio

Play

30 comments on “Are Longer Passwords Better, Even If They’re Simpler?”

  1. This advice should come with one caveat: these days hackers seldom use pure brute force right away, or old-school rainbow attacks, both of which would probably never find a password like 20 w’s.
    As I read in an article on ars-technica.com recently, these days they have lists with commonly-used patterns, and I’m guessing that using such a list any reasonable amount of w’s repeated (whether 12, 16, 20 or some other number) will be found within seconds.
    The solution would be fairly straightforward: try not to use a pattern; my vote goes to completely randomized strings of passwords like you can get here, and that’s a pain to remember, so I simply use one such password for my password locker and simply let the password locker remember them for me.

    Reply
    • It’s not likely that a rainbow table would catch 30 Ws. Rainbows are made but a method similar to a brute force hack. They generate hashes for every possible combination of characters up to 9 or possible up to 10 characters by now. Any passwords longer than that won’t be found on a rainbow table.

      Reply
      • Actually, that’s technically not true. It assumes the rainbow table is created from all possible passwords in a space. Certainly a common thing, HOWEVER….

        Consider a rainbow table made up of hashes of a million or more most common/found passwords? I’d be willing to bet “Correct Horse Battery Staple” is in it. Smile

        Lesson: don’t re-use passwords, regardless of their length.

        Reply
        • Thank you for this article. I am struggling with passwords and Lastpass is a challenge also. But 4 random words like that. That means my sentence isn’t worth spit either. Will try a longer sentence with more numbers and initials and….

          Reply
          • If you put a punctuation character between each of the 4 words, you’ll have a strong password. For example “correcT^HorsE^batterY^staplE” would be as uncrackable as anything even though “CorrectHorseBatteryStaple” is burned. Adding even one character increases the security exponentially.

  2. This explanation assumes the password length is known. Is it possible that the hacker knows the length of the password beforehand?

    If not, then even the list will have to include many more entries to try out.

    Typically, no, the hacker has no idea what the length of the password is.

    Leo
    02-Apr-2013
    Reply
    • Unfortunately, if you use a PIN to log into Windows 10, a hacker can easily get the number of characters. As soon as you’ve typed an incorrect password with the correct number of characters, you get an incorrect password message. It would be much safer for Windows to require pressing the “Enter” key to enter the password. Microsoft gets so many basic things wrong.

      Reply
      • PINs on Windows 10 are only useful on the local machine though. You can’t use that to login to the Microsoft account.

        Reply
        • Each machine has its own pin but it does log you on to your Microsoft computer on that machine. It won’t log you on to your account on the web if that’s what you mean but you will be logged in to OneDrive and OneNote etc.

          Reply
  3. This raises an interesting question. Many years ago, I changed a password on a file that contained the office budget (on a secure system). I found that afternoon I couldn ‘t open the file. I also found I couldn’t open the backup either. Since I was taking two weeks off for the Christmas holidays, I got permission from the security guys to approve a brute force password finder to find the password. When I came back to work, lo and behold the sw had found the password. I immediately changed the password back to 12 characters with appropriate backup, then analyzed the stats. I don’t remember the exact number but there billions of combinations. When I looked at the decrypted passwodd, it was exactly what I had put in. Still haven’t figured this one out.

    Reply
  4. I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?

    No. Brute force attacks start somewhere, running through all possible passwords. It’s extremely possible with current hardware for certain types of attacks to try all possible 8-character passwords. That is NOT the case for, say, 12 and certainly not for 20 character passwords. Hence, longer is better. Longer also gives us the opportunity to use phrases we can more easily remember.

    Leo
    02-Apr-2013
    Reply
  5. I’m glad you mentioned that about how the movies show a password being cracked. It always cracked me up watching this. Like in the movie Sneakers with Robert Redford the numbers magically appeared in random order each in the correct position.

    Reply
    • The method used in the movies relies on an obsolete way to validate passwords. There was a time when the password could be validated character by character against the required password stored in clear text, and the fail message issued as soon as a mismatch occurred.
      In that case, accurately monitoring the delay before the response can tell you that you got a correct guess as, in that case, one more character get tested, meaning a longer delay.
      It was possible to use that method back in the 60’s, and the 70’s against badly conceived systems.

      Reply
  6. Passphrases are the way to go. This xkcd cartoon completely changed the way I think about security: http://xkcd.com/936/

    When choosing a password, if possible I pick a passphrase that invokes a funny, memorable image, much like the cartoon.

    (Also, I use two-factor authentication if it’s available…that can save your butt, even if you choose a bad password.)

    Reply
  7. “mike
    March 31, 2013 10:49 AM
    I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?”

    The answer is simple. Suppose you chose to use a single character for say, your WiFi password. Someone else comes along, and decides to crack your WiFi (for whatever reason). Now assuming you are using WPA2-PSK on your router, they will spend about half an hour getting the stuff they need to actually start cracking your WiFi password.

    After that, they will spend (assuming they are not stupid) two hours using a dictionary attack on your WiFi. They will come up short (probably), and switch to a brute force attack, which will crack it in about a minute.

    That’s if they just aren’t stupid. A great cracker will have a better password dictionary, and crack your WiFi in about half an hour.

    This applies to any sort of password security, and the basic methods work in very much the same way. Anybody with a easy to find password cracker and good dictionary list will get into whatever security system you set up in an extremely speedy manner.

    Reply
  8. I use the method @Mike [March 31, 2013]refers to.
    I keep a link shortcut on my desktop just for this reason. Perhaps a visit to GRC’s page will provide a good learning experience for many. Also, take the time to review GRC’s “Password Haystacks” link at the very top of the page, below the header.
    https://www.grc.com/passwords.htm

    Reply
  9. @DaGeek247,
    I don’t think they sit there and type in passwords hoping to guess it. I think they have programs that run through a list of most likely things. It’s so fast to run through one symbol, then combinations of two, then combinations of three that they do that first. You’d be hacked in a heartbeat.

    Reply
  10. What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score.

    Reply
  11. one of my passwords is a 20 digit combo of numbers (top row) and letters (second row). I skip keys in a easily remembered sequence. I toss the shift key into the mix in, a number/letter – shift/number/letter – no shift… etc, something easy for me to remember with a rhythm to it -1,2,3 -1,2,3… and one could pick any rows to use.

    Reply
  12. “mike
    March 31, 2013 10:49 AM
    I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?”

    DaGeek247 gave a good answer for this, as did Leo (good to see you back!). I have a little more to add.

    Remember that, for every character you add, the number of possible combinations increases exponentially. For a simple example, assume that you have a 5 character password, and only numbers can be used (this is just an example that illustrates what I’m talking about; don’t use a number only password unless you are forced to, like with a PIN!). So you have 10 to the power of 5 (10^5) possible combinations, which is 100,000. Now if you add one more digit, you have 10^6 possible combinations, or 1,000,000. So it will take a hacker one tenth of the time to guess all possible 5 digit combinations as it will to guess all possible 6 digit combinations. So they will of course start with all possible 5 digit combos before moving to 6.

    But mike was asking about a 1 digit combination. Essentially his question is “won’t the sum of all 1,2,3,4, and 5 digit combos be more than the 6 digit combos?” And the answer is no. In our example, each additional character in the password adds 10 times more possible combinations than the last number of characters. So the sum of all 1,2,3,4 and 5 digit passwords is 111,111, which is still just a little more than one tenth of the number of 6 digit passwords. This is why the hacker starts will smaller passwords before moving to larger.

    Reply
  13. I forgot to mention, though, that I like the fact that mike is thinking about this. We should always be thinking and questioning what we read and hear, especially on the internet.

    ” Dennis Kelley
    April 2, 2013 3:02 PM
    What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score”

    I’m pretty sure some places won’t accept spaces in passwords, and some will truncate them. I have a piece of software at work that ignores spaces at the beginning and end of passwords. I would avoid using spaces in passwords.

    Now back to the article: This concept of lengthening your password has been spoken about a lot. Someone else mentioned Steve Gibson’s password strength analysis tool (www.grc.com/haystack.htm), where there is also a lot of info. But we need to be a little cautious. Yes, longer passwords are the most important part of our defense against brute force hacking. But a string of 20 w’s is probably not a good one. Why? Because a hacker doesn’t start with brute force. He starts with a dictionary attack, because that is so much more likely to yield a result. And any good password dictionary will contain such simplistic passwords, even out to 20 or more characters, because they are more likely to yield something, and it takes a trivial amount of time to search for them. The sum of all repeating character passwords, up to 100 repeated characters, is 95×100= 9500, a small number indeed. It would be faster to search those than to search all possible 3 character passwords.

    As more people start lengthening their passwords by adding on padding, the hackers will improve their searching to incorporate these things. Yes, it will be harder for them, but not as hard as it seems from just running the numbers. And like Leo pointed out, at some point it will be easier for the hacker to just look over your shoulder and see you hitting QQQQQQ.

    Reply
  14. My passwords are changing with DAY, Month, and year in a pattern I planned in advance, so I can remember and if the file shows when it was last “saved”, I can figure out its then passwords.
    I use all alphabets, numbers and SPECIAL CHARACTERS and although the length varies, it is never less than13. The pattern also is related to the name of the file in a mathematical formula.
    I think, no one can figure out such passwords. Any comments??

    Reply
  15. Given what the general article talks about I would suggest people come up with their own password padding scheme paired with a half way decent password and use it on their password manager for the master password as this is probably optimal for the common person. for example… instead of “MyDecentPassword” (16 characters) you would use something like “……….11111MyDecent,Passwordaaaaaaaaaa” (42 characters)

    that’s probably a good balance between security and ease-of-use.

    p.s. but for those who want guaranteed security, I suggest using Diceware (i.e. eff.org/dice ) with a minimum of six words (which is 77.5 bits of entropy which is about equivalent to a 12-character randomly generated password at 78.7 bits of entropy. 20 random characters is about the same as a 10 word Diceware passphrase). or one could use a combination of using some Diceware words rolled using real dice along with ones own padding scheme. NOTE(but this is probably a bit overkill though): if one is paranoid and does not trust their password managers password generation you can generate your own long/complex ones using basically all of the keys on the keyboard using three dice (say you want a 20 character password you would have to roll those three dice a minimum of twenty times) as you go to… https://theworld.com/%7Ereinhold/dicewarefaq.html and under the “How do I use dice to create random character strings?” section it shows you how to generate random strings using real dice. if one rolls the ‘sp’ (which is ‘spacebar’) I would just re-roll the three dice since I would avoid using the spacebar in passwords in general.

    Reply
  16. Leo, you wrote:

    “If you watch police shows or spy thrillers carefully, you’ll often see that when cracking a password, the letters of the password will suddenly appear one at a time. It’s typically some sort of race against time for that last character to appear and the entire password to get cracked, so as to avoid the explosion or other serious consequence.”

    A really excellent example would be the climax to the movie “WarGames.” Strictly speaking, the sequence being cracked isn’t exactly a password (hey, password, nuclear launch code, what’s the difference, right?) but it plays out exactly and precisely as you’ve just described it… right down to the “serious consequences.” : )

    Reply
  17. Leo’s article of password length reminded me of back in the TRS-80 days. I built an application using BASIC for a friend. The final program was compiled, which back then meant you could not look at the source code. The application had a simple password (like “kitchen”) that was entered in a box that always appeared in the same place on the screen. The program could sense the TIME that each character was typed (location of the black dot was on or off). Not only did the password have to be correct, but the time difference between the 2nd and 3rd characters had to be between 10 and 15 seconds apart. If the difference between those two characters was less than 10 seconds or more than 15 seconds, you could not log-in even if the password was correct. He called me and said he had a problem so I went to his house. He watched me log in with no problem. Then he tried it and failed again. I reminded him to READ the instructions I gave him.

    Reply
  18. David’s post above reminded me of a simple programming feature web pages can use as a another layer of security: Detect that the password is being typed in and analyze the time period between keystrokes (as opposed to being pasted in or inserted by software). This can be done and adapted to learn the typical typing pattern of the legitimate user. But this is rarely done, not even by financial institutions. Maybe this approach will break the use of a password manager, but what’s the purpose here, convenience or security? Of course, all this talk about password security seems silly since you can call your bank, give them your name and the last 4 digits of a bank card, and you’re in!

    Reply
    • I wonder about that myself. They ask a little more than that. They ask full name, account or credit/debit card number, birthdate, and last 4 digits of social security number. Those seem easy for someone who is determined to get. This leads to a warning: Don’t allow your birthday to be visible on social media. If they get your birthday, it’s not hard to figure out the year. And beware of phishing!

      Reply
    • The great thing about password managers is that they provide both convenience *and* security. If my bank wanted to be more secure, they could let me use a password that is longer than 12 characters (which is an improvement over the 10-max they used to have) – though granted, they do authenticate my machine. Any website that doesn’t let me paste in my password . . . well, let’s just say that really steams me. >:( If websites want people to use good passwords, don’t make it difficult to use a good password! LET ME PASTE IT IN! Also: tell me your password requirements up front, let me use more than 12 characters (is there some computational upper limit that would make sense here?), and for heaven’s sake! stop truncating it without telling me!

      Reply
      • There are pros and cons concerning allowing pasting of passwords. Pro: you can use long random passwords. Con: pasting can be done by bots. Pro: a very long password is almost impossible to crack one in trillions or better is the password is long enough. The pros far outweigh the con. The upper limit to the length of a password is huge. You could probably have a pass paragraph in a well designed system. The scary thing is that some websites truncate (shorten) the password and only use, for example, 8 or 10 characters of the password you entered and you won’t even know.

        Reply
        • I’ve been locked out of accounts that way – they accepted my long password without telling me they’d shortened it, then I couldn’t get back in with the full password. It took me forever to figure it out the first time – now, I know to look out for it. I know bots can paste passwords, but there are also limits online for how many attempts you get to log in. I agree: it’s not even close how far the pros outweigh the cons! I don’t know if there’d be a technical upper limit for passwords, but I would imagine you could hit a point that running the hash on it might slow down your login?

          Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.