Size Does Matter…at Least for Passwords

Size Does Matter…at Least for Passwords

I have been thinking and talking more about security in recent weeks. For my regular readers you would have noticed that I have been concentrating on securing Windows 7, but one topic I didn’t discuss was that of passwords.

It seems everything we do with computers, you will usually need to enter a password at some point. Just think about how many places you need to input a password, such as logging into your computer, a web site, or software that is installed on your computer. With many of these places containing extremely private information, it is important that you use a strong, safe, password to prevent unwanted individuals from accessing your information. Let’s look at what is a strong password to protect your data.

It’s All About Length

Measuring Tape

Whenever we are requested to create a password, many places talk about creating complex passwords that include upper and lower case letters, numbers, and symbols (punctuation). They may also require a minimum length of the password, such as 8 characters. While creating complex passwords is a good start, it doesn’t always guarantee the most secure password. A complex password, using the rules stated above, that is 8 characters long is easier to crack than one that uses only lower case letters but is 15 characters long. Why is that? Let’s take a look.

The table below lists some numbers that I will be using through the remainder of this post. It contains the character count for various ASCII-printable characters on a computer.

Character Count Description
26 Lower or upper case letters only.
52 Lower and upper case letters.
10 Numeric digits.
32 Punctuation and symbols.
94 ASCII-printable characters.

By using the above table we can determine the number of possible passwords by using one of the above variations if we know the length of the password. To do this we simply take the number of possible characters from the table, and raise it to the power of the length. For example, the number of possible combinations for an 8 character password that uses all the ASCII-printable characters would be:

948 = 6,095,689,385,410,816

Since the length is the exponent in the equation, it has the most influence on the number of possible combinations. As an example if we were to add one more character to the password, making it a 9 character password, the total number of combinations would jump to:

949 = 572,994,802,228,616,704

That is quite an increase just be adding one character.

Complexity Definitely Helps But Length is Still Better

If possible, you should always try to add complexity to any password you create, but you shouldn’t sacrifice length to make a password complex. As mentioned above, length has the most influence over the possible combinations of a password.

Let’s look at these examples. The first one uses all 94 printable ASCII characters and is 8 characters long (as before), while the second one uses only lower case letters but is 15 characters long.

ASCII Characters: 94, Length: 8

948 = 6,095,689,385,410,816

ASCII Characters: 26, Length: 15

2615 = 1,677,259,342,285,725,925,376

That is a huge difference between the two lengths. Even though the second example uses 68 fewer ASCII characters, it still has the most possible combinations, simply because it is a longer password.

Using Longer Passwords

By using what I mentioned above, you should start looking at generating longer passwords for various sites that contain personal, sensitive, information. Sites include PayPal, your online banking web site, eBay, and e-mail sites.

Each site probably does have a limit on the number of characters you can include in your password. I know eBay and PayPal have a 20 character limit, while Google passwords can be much longer than 20 characters.

While there are limitations, they are still large enough to create rather hard-to-crack passwords, especially if you were to use all the ASCII-printable characters, and were to use the maximum size password.

eBay and PayPal

9420 = 2,901,062,411,314,618,233,730,627,546,741,369,470,976


9435 = 1,146,766,178,882,655,376,556,940,967,051,013,237,072,355,351,113,897,892,962,775,360,077,824


The Google example stops at 35 characters even though I know it can accept at least 64 characters. The 35 character limit was imposed on the calculator I was using, so I chose 35 so I could display a number.

By looking at the examples above, either 20 or 30 character passwords are secure enough where you wouldn’t need to worry about someone guessing your password.

While I didn’t go into any rules with regards to creating password, you can easily see that when creating passwords you should create them not only for complexity, but also for length.

7 Responses to “Size Does Matter…at Least for Passwords”

  1. The longer, the more secure. But it’s also easier for you to forget it. LOL

  2. Thrawn says:

    @Chuck: Sorry to bust your bubble, but sophisticated password-cracking software will know all of the same mods that you do. You’ll slow it down, but you probably won’t make it revert to brute-force, which means you’re in trouble.

    XKCD has something to say on the subject:

    On the other hand, a long random sequence of all-lower-case words is *very* hard to crack. Conservative estimates of dictionary size are 5000 words or more, whereas the whole printable ASCII character set is only 94. So, just 4 random words – no capitalisation, no numbers, no special characters – gives you 5000^4 possible passphrases, which ends up being only one order of magnitude less than a completely-random, full-ASCII-set 8-character password. 5 words will be far stronger. And which one is easier to remember? No contest.

    As an added bonus, most password crackers don’t target passphrases yet, so they’re trying every character combination, and a 4-word passphrase will probably be 20 characters long or more…

  3. mitz says:

    I really like your idea on how to make passwords Chuck! LOL they are great but I still will not remember them. I have to write them down…and that was fine until I ended up with 2 books full of passwords…AAHHH!!!

  4. Chuck says:

    All that I do is come up with something I can easily remember, then completely change it. For example

    It’s a simple plan

    Access Denied

    I see you
    !C(O.O)You! < this one would probably be awful to type repetitiously..

  5. Chinaren says:

    The only thing you’re missing here is: The Human factor.

    Long passwords, or with upper/lowercase characters and numbers are hard to remember, and hence there’s a much higher risk of them being written down, or saved somewhere that isn’t secure.

    I loath sites that demand I use a password with upper/lower case and numbers, as this forces me to use a slightly different password to my norm, which means I won’t remember it!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.