Feb 10, 2012

Which is better for password security, length or complexity?

Debate over coffee this morning was which is superior, a password that is very lengthy (15+ characters) or very complex (use of symbols like #,$,%,^)?  I realize that either are far superior to the average password, but which would be the more secure choice?  


Strong Passwords should have

- a combination of upper case & lower case

- numbers

- special characters


Length: 8-15



Sandeep Seeram

I suggest using both. Why do just one or the other? Make your passwords as difficult as possible for somebody to mess with.

Here are some links on how to create strong passwords:

Create strong passwords

Password Protection: How to Create Strong Passwords

How To Create Strong Passwords That You Can Remember Easily
Ahh, the never ending debate! If you use an app to keep track of passwords, you can do the long/complex thing pretty easily. But if you need strong passwords that are also something you can recall from memory, you might want to try taking song lyrics, and use the first letter of each word. For example, "Yankee doodle went to town, riding on a pony. Stuck a feather in his hat and called it macaroni," would be Ydwttroap!safihhacim! I added the exclamations because a rousing song like that just demands them, and it adds slightly to the security of the p/w. That should be a handful for most brute force attacks to handle, yet it remains easy to recall without the need for a password manager. Different songs for different accounts is also wise. I find Rage Against the Machine works well for banking!

Why not use both complexity and length?


I use the KeePass app to save login info and copy it between my laptop and phone, and desktop when I use one. I use it because I possess the data, it's not in the cloud somewhere - I also have it on a USB stick (and yes, it is password-protected too). Some devs will give you an exported KeePass db and its password separately when transferring sensitive logins (db connections, superusers etc).


KeePass also tells you how secure a password is before you save it:


DxitLOazKJEGvjo 15 letters is 86bits

8ZzEm6IMON4H0su adding numerals is not much more secure, 87 bits

jIsrk;QRlq8@&Bi adding special characters is 99 bits


C1!x0 reducing that to 5 characters it's 32 bits

kNJWt letters only is 29 bits, so for a short PW the complexity is not adding much


explain xkcd says length is more important than complexity; and that was demonstated by my examples


more info on Wikipedia








Answer this