When you use a password manager the question of password length riddles the mind.
8 characters good enough? Is it worth it to have a 100 character long password? Do I need special characters?
Let me show you the right size password and when it’s okay to use short passwords.
When it comes to passwords size matters. The longer your password, the harder it will be to guess it.
But you can get to a point where it’s consider pointless.
If you ask me a password should never be less than 12 characters long. But I’m more comfortable with 15 characters or longer. I also consider a password over 30 characters pointless.
To understand why we need to do some math.
The Math of Passwords
Math is the magic behind password manager encryption. Yes, plain old math is the security that protects your passwords.
The scary truth is that all systems are “hackable”, but the time to crack it is beyond the lifetime of you, me or our galaxy combined. We deal with numbers so large that it’s not possible to break within any reasonable time frame.
To figure out an acceptable password length we need a baseline. The only group that I can think of that has the most power, let alone the money, to crack the strongest of passwords would be a Nation State.
In an interview, Edward Snowden said, “Assume your adversary is capable of one trillion guesses per second.”
This was back in 2014, and this post was written in 2019. We can assume they have gotten faster. For this article, I’m going with a worst case scenario of 10 trillion guesses per second. It’s hard to get an exact number because the people with these machines don’t brag about them to the public.
To put this in perspective, your average Joe wouldn’t be at 1/100th this power. We really are dealing with the worst case scenario.
The Character Set
Before we do the math, we need to know what characters are being used.
We’ll be using English characters. This is 26 lower case and 26 upper case options. We’ll also use numbers 0 to 9 too. As for special characters, there is a lot of them. For special I’m going to use the most common ones (!@#$%^&*) or the ones that Bitwarden password manager uses.
This means we have
- 26 Lowercase
- 26 Uppercase
- 10 Numbers
- 8 Special Characters
For a total of 70 characters to pick from for our password. Don’t worry, having more characters doesn’t help much. It’s the length that matters, and I’ll show you why.
With 70 character possibilities and a password of 8 characters long you get… 708 = 576,480,100,000,000 possibilities.
That is a significant number for sure. But keep in mind that our machine can guess 10 trillion passwords per second. That means it would have guess every possible combination in about 58 seconds.
This clearly rules out 8 character passwords with all combinations. What about 9, 10, 11, and so on?
9 Characters long = 40,353,607,000,000,000 possibilities. 4,035 seconds or about 67 minutes to guess all possibilities.
10 Characters long = 2,824,752,490,000,000,000 possibilities. 282,475 seconds or about 3.27 days to guess all possibilities.
11 Characters long = 229 days to guess all possibilities.
12 Characters long = 16,020 days to guess all possibilities or about 44 years.
You can see why I like to say 12 character long passwords is the bottom. But we can’t stop there. If you’re cracking these passwords you won’t need to go through all possibilities, you’ll find the password before that. So I like to divide the number in half.
With a 12 character long password using 70 different character possibilities it would be safe to assume at 10 trillion guesses per second they’ll get it cracked in 22 years. It probably would be sooner than that if they upgrade their cracking computer. Hopefully by that time you’ve changed the password to something else.
As shown in the example above, the longer the password, the longer it took to crack. Just adding one extra character to your password made it exponentially stronger.
At 11 characters it took 229 days to guess all the possibilities. When you add one more character, it jumped to 16,020 days to guess. That is a huge increase!
Go to 13 characters, and you get 3,071 years.
14 Characters you get 215,035 years.
15 Characters and you get 15,052,509 years to guess all possibilities.
Just one more character makes your password exponentially stronger!
At this point, you might be wondering why not make all passwords 100 characters long? I mean it’s not wrong, but there are cases where it doesn’t make sense.
Too Long of a Password
When we get to a password that is 30 characters long you end up with 71,462,714,935,612,700,000,000,000,000,000,000 years to guess all possibilities. No one is cracking that thing in anyone’s lifetime.
At 30 characters long there is no real point to go any longer for the foreseeable future. (I wonder how well this will age in 10 years?) The hackers have higher odds of phishing the password from you or writing a virus to grab it.
The only person you’re hurting is yourself if you ever have to enter that password manually. This is why I don’t like to go beyond 30 characters. There are still plenty of times where you’ll have to enter your password (looking at you Netflix) manually.
If you don’t have to ever manually enter a password and the site allows for long passwords then go for it. If your password manager can enter it for you, it won’t matter how long your password is.
When Length Doesn’t Matter
All this gets thrown out the window if your password is in a plain text breach. If the site for some dumb reason stored your password in plain text, it won’t matter how long it is. It’s been exposed and should never be used again.
As we can see from earlier, the longer the password, the more possibilities. It’s within everyone’s best interest to use long passwords because if one gets exposed, we still have a ton more options to pick from.
What About Passphrases?
Passphrases are passwords “sentences.” The most common example is the “correct horse staple battery” from xkcd.
Passphrases are great because they’re long and easy to remember. If you ever have to enter a password manually, you’ll find a passphrase easier to deal with than say “?Ujx%MfU<8X+vGFBMNQW+”.
If anything, you should use a passphrase for your master password to your password manager. It’s easy to type and easy to remember. (Most password managers use PBKDF2 to protect your master password. This makes your password even harder to guess and allows you to use a shorter master password if you want).
If a hacker knows you’re using a passphrase for a password its not how many characters you have but how many words that matter.
The most common word list to use for passphrases is the Diceware list. This list has 7,776 words to pick from.
If our passphrase were only 4 words long using our 10 trillion guesses per second machine, it would have gone through all possibilities in about 6 minutes.
- 5 Words: 32 Days
- 6 Words: 700 Years
- 7 Words: 5,450,446 Years
Just like adding one more character adding one more word makes it exponentially harder to guess the password.
The thing about using Passphrases is that the hacker needs to know that you used them. If it’s not known, then your password looks like all the other ones in the world. It’s an all or nothing game when it comes to passwords.
Not only do they need to know it’s a passphrase but they also need to know your scheme.
“useable utopia snowstorm vest broker replica immovably”
“useable utopia snowstorm vest_broker replica immovably”
These passphrases all look the same to you or me but to a computer, the different characters between the words (even space) makes them each unique.
There are infinite possibilities with using a passphrase which makes them super secure.
You could even avoid using Diceware word list and make your own sentence. The thing about this one is that you want the sentence not to make sense and be something that was never said or would be ever said. An example “The unicorn ate the turkey heater.” Or even make up the words “The Flunxor is a completely full cauplests.” Just don’t overdo it. Make sure to write down your master password and keep it somewhere safe as you don’t want to be locked out.
Why Would Someone Use a Short Password?
Besides sites making you use a specific length password another reason to use a short password is that people are comfortable with it.
If you’re new to password managers, you might be afraid to use a password that is too long, and that’s fine.
The most important thing you need to do is use a unique password for every account. A password manager full of 8 character long passwords that are 100% unique from the rest is far better than a guy using the same 20 characters long password everywhere.
All it takes is the guy with the 20 character password for every account to get hacked once to lose everything. While the guy using unique but short passwords will be just fine.
The fact is that the hackers are going to use breached passwords instead of guess every combination. Most, if not all, internet services stop such guessing from even happening.
So the real question you should be asking is not how long should your password be but how unique are all your passwords.