When it comes to passwords, size really does matter.
Twenty w’s — wwwwwwwwwwwwwwwwwwww — does seem like a “simple” password, doesn’t it?
Might it be too simple? Could it really be stronger than, say, yjckD$3t77?
The answer, as clickbait headlines would say, will surprise you.
Become a Patron of Ask Leo! and go ad-free!
When it comes to passwords, longer is better. When faced with the choice of longer versus more complex, choose length. In order to be cracked, a password must be completely correct — there’s no movie-like incremental guessing. Keep your guard up, though, as cracking is only one way passwords can be compromised.
Size matters
It’s simple: longer passwords are better. Length is the easiest way to make a password more secure.
When you’ve got a choice between making a password longer or keeping it the shorter but making it more complex, length wins. A password of 20 “w’s” would be much more secure than a 10-character password of random characters.
Twenty “w’s” is a lot easier to remember. On the other hand, somebody shoulder surfing might see what your password is, so you might want something not quite so simple.
But in general, for attacks where passwords are being cracked, a longer password always wins.
TVs and movies lie
If you watch police shows or spy thrillers carefully, you’ll often see that when cracking a password, the letters of the password will suddenly appear one at a time. It’s typically some sort of race against time for that last character to appear and the entire password to get cracked, so as to avoid the explosion or other serious consequence.
That is not how it works.
You have to get the entire password right at once. There is no way to discover a password character-by-character.
So, in the case of a 20-character password, they’d have to get all 20 correct at the same time. ANY error — even if just one character is wrong — doesn’t give the hacker any information about whether or not any of the other characters were correct. It’s all or nothing.
That’s why longer is better. The only way to crack it is by brute force. Trying all possible 8-character passwords can be done in a reasonable amount of time. All possible 20-character passwords? That would take centuries.
There’s more to compromise than cracking
Don’t drop your guard just because you have a 20-character password. There are plenty of ways having nothing to do with length with which the password could still be compromised.
- Malware such as a keylogger can capture a password of any length.
- A service that stores passwords improperly could expose your actual password.
- Hackers have lists of “popular” passwords and previously compromised passwords that they’ll try first.
This is why it’s important to maintain proper security, as well as using a unique password for each account you have.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
This advice should come with one caveat: these days hackers seldom use pure brute force right away, or old-school rainbow attacks, both of which would probably never find a password like 20 w’s.
As I read in an article on ars-technica.com recently, these days they have lists with commonly-used patterns, and I’m guessing that using such a list any reasonable amount of w’s repeated (whether 12, 16, 20 or some other number) will be found within seconds.
The solution would be fairly straightforward: try not to use a pattern; my vote goes to completely randomized strings of passwords like you can get here, and that’s a pain to remember, so I simply use one such password for my password locker and simply let the password locker remember them for me.
It’s not likely that a rainbow table would catch 30 Ws. Rainbows are made but a method similar to a brute force hack. They generate hashes for every possible combination of characters up to 9 or possible up to 10 characters by now. Any passwords longer than that won’t be found on a rainbow table.
Actually, that’s technically not true. It assumes the rainbow table is created from all possible passwords in a space. Certainly a common thing, HOWEVER….
Consider a rainbow table made up of hashes of a million or more most common/found passwords? I’d be willing to bet “Correct Horse Battery Staple” is in it.
Lesson: don’t re-use passwords, regardless of their length.
Thank you for this article. I am struggling with passwords and Lastpass is a challenge also. But 4 random words like that. That means my sentence isn’t worth spit either. Will try a longer sentence with more numbers and initials and….
If you put a punctuation character between each of the 4 words, you’ll have a strong password. For example “correcT^HorsE^batterY^staplE” would be as uncrackable as anything even though “CorrectHorseBatteryStaple” is burned. Adding even one character increases the security exponentially.
This explanation assumes the password length is known. Is it possible that the hacker knows the length of the password beforehand?
If not, then even the list will have to include many more entries to try out.
02-Apr-2013
Unfortunately, if you use a PIN to log into Windows 10, a hacker can easily get the number of characters. As soon as you’ve typed an incorrect password with the correct number of characters, you get an incorrect password message. It would be much safer for Windows to require pressing the “Enter” key to enter the password. Microsoft gets so many basic things wrong.
PINs on Windows 10 are only useful on the local machine though. You can’t use that to login to the Microsoft account.
Each machine has its own pin but it does log you on to your Microsoft computer on that machine. It won’t log you on to your account on the web if that’s what you mean but you will be logged in to OneDrive and OneNote etc.
This raises an interesting question. Many years ago, I changed a password on a file that contained the office budget (on a secure system). I found that afternoon I couldn ‘t open the file. I also found I couldn’t open the backup either. Since I was taking two weeks off for the Christmas holidays, I got permission from the security guys to approve a brute force password finder to find the password. When I came back to work, lo and behold the sw had found the password. I immediately changed the password back to 12 characters with appropriate backup, then analyzed the stats. I don’t remember the exact number but there billions of combinations. When I looked at the decrypted passwodd, it was exactly what I had put in. Still haven’t figured this one out.
I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?
02-Apr-2013
I’m glad you mentioned that about how the movies show a password being cracked. It always cracked me up watching this. Like in the movie Sneakers with Robert Redford the numbers magically appeared in random order each in the correct position.
The method used in the movies relies on an obsolete way to validate passwords. There was a time when the password could be validated character by character against the required password stored in clear text, and the fail message issued as soon as a mismatch occurred.
In that case, accurately monitoring the delay before the response can tell you that you got a correct guess as, in that case, one more character get tested, meaning a longer delay.
It was possible to use that method back in the 60’s, and the 70’s against badly conceived systems.
Passphrases are the way to go. This xkcd cartoon completely changed the way I think about security: http://xkcd.com/936/
When choosing a password, if possible I pick a passphrase that invokes a funny, memorable image, much like the cartoon.
(Also, I use two-factor authentication if it’s available…that can save your butt, even if you choose a bad password.)
“mike
March 31, 2013 10:49 AM
I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?”
The answer is simple. Suppose you chose to use a single character for say, your WiFi password. Someone else comes along, and decides to crack your WiFi (for whatever reason). Now assuming you are using WPA2-PSK on your router, they will spend about half an hour getting the stuff they need to actually start cracking your WiFi password.
After that, they will spend (assuming they are not stupid) two hours using a dictionary attack on your WiFi. They will come up short (probably), and switch to a brute force attack, which will crack it in about a minute.
That’s if they just aren’t stupid. A great cracker will have a better password dictionary, and crack your WiFi in about half an hour.
This applies to any sort of password security, and the basic methods work in very much the same way. Anybody with a easy to find password cracker and good dictionary list will get into whatever security system you set up in an extremely speedy manner.
I use the method @Mike [March 31, 2013]refers to.
I keep a link shortcut on my desktop just for this reason. Perhaps a visit to GRC’s page will provide a good learning experience for many. Also, take the time to review GRC’s “Password Haystacks” link at the very top of the page, below the header.
https://www.grc.com/passwords.htm
@DaGeek247,
I don’t think they sit there and type in passwords hoping to guess it. I think they have programs that run through a list of most likely things. It’s so fast to run through one symbol, then combinations of two, then combinations of three that they do that first. You’d be hacked in a heartbeat.
What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score.
one of my passwords is a 20 digit combo of numbers (top row) and letters (second row). I skip keys in a easily remembered sequence. I toss the shift key into the mix in, a number/letter – shift/number/letter – no shift… etc, something easy for me to remember with a rhythm to it -1,2,3 -1,2,3… and one could pick any rows to use.
“mike
March 31, 2013 10:49 AM
I have a question that I’ve asked on another site before, but never got a satisfactory answer. Hear me out here–why does it matter how long my password is? Let’s say for example I choose a password with a length of only one character. If the person trying to guess my password doesn’t KNOW it’s only one character long, they would still have to test for a password of up to, for example, 13 characters. So my question is–if the hacker doesn’t know the LENGTH of my password, shouldn’t a one character password have the same chance of being cracked as a 13 character password?”
DaGeek247 gave a good answer for this, as did Leo (good to see you back!). I have a little more to add.
Remember that, for every character you add, the number of possible combinations increases exponentially. For a simple example, assume that you have a 5 character password, and only numbers can be used (this is just an example that illustrates what I’m talking about; don’t use a number only password unless you are forced to, like with a PIN!). So you have 10 to the power of 5 (10^5) possible combinations, which is 100,000. Now if you add one more digit, you have 10^6 possible combinations, or 1,000,000. So it will take a hacker one tenth of the time to guess all possible 5 digit combinations as it will to guess all possible 6 digit combinations. So they will of course start with all possible 5 digit combos before moving to 6.
But mike was asking about a 1 digit combination. Essentially his question is “won’t the sum of all 1,2,3,4, and 5 digit combos be more than the 6 digit combos?” And the answer is no. In our example, each additional character in the password adds 10 times more possible combinations than the last number of characters. So the sum of all 1,2,3,4 and 5 digit passwords is 111,111, which is still just a little more than one tenth of the number of 6 digit passwords. This is why the hacker starts will smaller passwords before moving to larger.
I forgot to mention, though, that I like the fact that mike is thinking about this. We should always be thinking and questioning what we read and hear, especially on the internet.
” Dennis Kelley
April 2, 2013 3:02 PM
What if I hit the space key 27 times (keep it odd and not even). No number, or letters. On one password strength site I got a +108 score”
I’m pretty sure some places won’t accept spaces in passwords, and some will truncate them. I have a piece of software at work that ignores spaces at the beginning and end of passwords. I would avoid using spaces in passwords.
Now back to the article: This concept of lengthening your password has been spoken about a lot. Someone else mentioned Steve Gibson’s password strength analysis tool (www.grc.com/haystack.htm), where there is also a lot of info. But we need to be a little cautious. Yes, longer passwords are the most important part of our defense against brute force hacking. But a string of 20 w’s is probably not a good one. Why? Because a hacker doesn’t start with brute force. He starts with a dictionary attack, because that is so much more likely to yield a result. And any good password dictionary will contain such simplistic passwords, even out to 20 or more characters, because they are more likely to yield something, and it takes a trivial amount of time to search for them. The sum of all repeating character passwords, up to 100 repeated characters, is 95×100= 9500, a small number indeed. It would be faster to search those than to search all possible 3 character passwords.
As more people start lengthening their passwords by adding on padding, the hackers will improve their searching to incorporate these things. Yes, it will be harder for them, but not as hard as it seems from just running the numbers. And like Leo pointed out, at some point it will be easier for the hacker to just look over your shoulder and see you hitting QQQQQQ.
My passwords are changing with DAY, Month, and year in a pattern I planned in advance, so I can remember and if the file shows when it was last “saved”, I can figure out its then passwords.
I use all alphabets, numbers and SPECIAL CHARACTERS and although the length varies, it is never less than13. The pattern also is related to the name of the file in a mathematical formula.
I think, no one can figure out such passwords. Any comments??
Given what the general article talks about I would suggest people come up with their own password padding scheme paired with a half way decent password and use it on their password manager for the master password as this is probably optimal for the common person. for example… instead of “MyDecentPassword” (16 characters) you would use something like “……….11111MyDecent,Passwordaaaaaaaaaa” (42 characters)
that’s probably a good balance between security and ease-of-use.
p.s. but for those who want guaranteed security, I suggest using Diceware (i.e. eff.org/dice ) with a minimum of six words (which is 77.5 bits of entropy which is about equivalent to a 12-character randomly generated password at 78.7 bits of entropy. 20 random characters is about the same as a 10 word Diceware passphrase). or one could use a combination of using some Diceware words rolled using real dice along with ones own padding scheme. NOTE(but this is probably a bit overkill though): if one is paranoid and does not trust their password managers password generation you can generate your own long/complex ones using basically all of the keys on the keyboard using three dice (say you want a 20 character password you would have to roll those three dice a minimum of twenty times) as you go to… https://theworld.com/%7Ereinhold/dicewarefaq.html and under the “How do I use dice to create random character strings?” section it shows you how to generate random strings using real dice. if one rolls the ‘sp’ (which is ‘spacebar’) I would just re-roll the three dice since I would avoid using the spacebar in passwords in general.
Leo, you wrote:
“If you watch police shows or spy thrillers carefully, you’ll often see that when cracking a password, the letters of the password will suddenly appear one at a time. It’s typically some sort of race against time for that last character to appear and the entire password to get cracked, so as to avoid the explosion or other serious consequence.”
A really excellent example would be the climax to the movie “WarGames.” Strictly speaking, the sequence being cracked isn’t exactly a password (hey, password, nuclear launch code, what’s the difference, right?) but it plays out exactly and precisely as you’ve just described it… right down to the “serious consequences.” : )
Leo’s article of password length reminded me of back in the TRS-80 days. I built an application using BASIC for a friend. The final program was compiled, which back then meant you could not look at the source code. The application had a simple password (like “kitchen”) that was entered in a box that always appeared in the same place on the screen. The program could sense the TIME that each character was typed (location of the black dot was on or off). Not only did the password have to be correct, but the time difference between the 2nd and 3rd characters had to be between 10 and 15 seconds apart. If the difference between those two characters was less than 10 seconds or more than 15 seconds, you could not log-in even if the password was correct. He called me and said he had a problem so I went to his house. He watched me log in with no problem. Then he tried it and failed again. I reminded him to READ the instructions I gave him.
David’s post above reminded me of a simple programming feature web pages can use as a another layer of security: Detect that the password is being typed in and analyze the time period between keystrokes (as opposed to being pasted in or inserted by software). This can be done and adapted to learn the typical typing pattern of the legitimate user. But this is rarely done, not even by financial institutions. Maybe this approach will break the use of a password manager, but what’s the purpose here, convenience or security? Of course, all this talk about password security seems silly since you can call your bank, give them your name and the last 4 digits of a bank card, and you’re in!
I wonder about that myself. They ask a little more than that. They ask full name, account or credit/debit card number, birthdate, and last 4 digits of social security number. Those seem easy for someone who is determined to get. This leads to a warning: Don’t allow your birthday to be visible on social media. If they get your birthday, it’s not hard to figure out the year. And beware of phishing!
The great thing about password managers is that they provide both convenience *and* security. If my bank wanted to be more secure, they could let me use a password that is longer than 12 characters (which is an improvement over the 10-max they used to have) – though granted, they do authenticate my machine. Any website that doesn’t let me paste in my password . . . well, let’s just say that really steams me. >:( If websites want people to use good passwords, don’t make it difficult to use a good password! LET ME PASTE IT IN! Also: tell me your password requirements up front, let me use more than 12 characters (is there some computational upper limit that would make sense here?), and for heaven’s sake! stop truncating it without telling me!
There are pros and cons concerning allowing pasting of passwords. Pro: you can use long random passwords. Con: pasting can be done by bots. Pro: a very long password is almost impossible to crack one in trillions or better is the password is long enough. The pros far outweigh the con. The upper limit to the length of a password is huge. You could probably have a pass paragraph in a well designed system. The scary thing is that some websites truncate (shorten) the password and only use, for example, 8 or 10 characters of the password you entered and you won’t even know.
I’ve been locked out of accounts that way – they accepted my long password without telling me they’d shortened it, then I couldn’t get back in with the full password. It took me forever to figure it out the first time – now, I know to look out for it. I know bots can paste passwords, but there are also limits online for how many attempts you get to log in. I agree: it’s not even close how far the pros outweigh the cons! I don’t know if there’d be a technical upper limit for passwords, but I would imagine you could hit a point that running the hash on it might slow down your login?