Passwords–Longer Beats Complex

I ran across an article on the PCWorld web site, that explains why longer simpler passwords are better than shorter more complex passwords.  It is basically about hacking time.  Passwords are cracked using automated programs that make thousands of attempts per second.  They are cracked from long lists of encrypted password hashes that are stolen from web servers.  The resulting clear text passwords are recorded and sold as “rainbow tables”  If I have a good rainbow table and your encrypted password hash, I can be into your accounts in seconds.

Longer passwords take so long to decrypt, that it becomes an exercise in futility for the cracker.  Generally speaking, as you get to ten characters or more, the cracking time, even at a thousand tries per second, gets into centuries and millennia, which is too long to be practical.  So basically, the bad guys will post the easy low-hanging fruit of 6-10 character passwords, while longer passwords will outlast the cracking attempt.

My recommendation – more than 12 – shoot for 15 characters.  A quick analysis at Passfault Analyzer showed that one of my passwords at 14 characters would take 33 years to crack, but at 15, it would take 14 centuries.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.