Ask Leo: How long should a password be?


By Leo Notenboom

For a long time, the common thinking was that the best, most practical passwords
consisted of a random combination of upper and lower-case letters, numbers, and a
special character or two; if so composed, a password needed to be only eight characters in

Randomness remains important, but as it turns out, size matters more.

A password today should have a minimum of ten characters, and ideally, twelve.

Large scale account hacks

When you hear about large numbers of accounts being stolen by a hack at
some service provider, you are naturally concerned that the hacker might now
have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case.
(As I’ve said before, if a service is storing your actual passwords,
then they simply don’t understand security or they have made some horrifically bad

In fact, most services will store an encrypted (technically, a “hashed”) form
of your password. For example, if my password were “password” (and that’s a very poor
password, of course), then a service might store
“5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8” which is the
hash value that corresponds to that password. 1

“Even the best eight-character passwords should no longer be
considered secure.”

What that means is that hackers do not get a list of user names and
passwords. What they get is a list of usernames and password hashes.

And what’s great about hashes is that you can calculate a hash from a
password, but you cannot do the reverse – you cannot calculate the password
from the hash.

As a result, one would think that by being hashed it’d be pretty unhackable,

Sadly, not so much.

Dictionary attacks

The most common type of password attack is simply a high-speed guessing

These attacks involve starting with an exhaustive list of possible words
(including names, profanities, acronyms, and more) and perhaps a few rules to
try interesting and common ways that people try to obfuscate words. They
calculate the hash of each guess and if it matches what was found in the
compromised database of account information that they’re working against,
they’ve figured out the password for that account.

As we’ll see in a moment, it’s easy for hackers to make an amazing number of
guesses is a short amount of time.

That’s why you’re not using that kind of password, right?

That’s why a password created from a totally random combination of characters is best; it forces hackers to move on to a true brute force attack to gain access.

Article continued here

This post is excerpted with Leo’s permission from his blog.

FaceBook URL: Leo’s Facebook

Twitter URL:

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles