When you use a password manager the question of password length riddles the mind. <\/p>\n\n\n\n
8 characters good enough? Is it worth it to have a 100 character long password? Do I need special characters? <\/p>\n\n\n\n
Let me show you the right size password and when it\u2019s okay to use short passwords. <\/p>\n\n\n\n
When it comes to passwords size matters. The longer your password, the harder it will be to guess it.<\/p>\n\n\n\n
But you can get to a point where it\u2019s consider pointless. <\/p>\n\n\n\n
If you ask me a password should never be less than 12 characters long. But I\u2019m more comfortable with 15 characters or longer. I also consider a password over 30 characters pointless. <\/p>\n\n\n\n
To understand why we need to do some math. <\/p>\n\n\n\n
Math is the magic behind password manager encryption. Yes, plain old math is the security that protects your passwords. <\/p>\n\n\n\n
The scary truth is that all systems are \u201chackable\u201d, but the time to crack it is beyond the lifetime of you, me or our galaxy combined. We deal with numbers so large that it\u2019s not possible to break within any reasonable time frame. <\/p>\n\n\n\n
To figure out an acceptable password length we need a baseline. The only group that I can think of that has the most power, let alone the money, to crack the strongest of passwords would be a Nation State. <\/p>\n\n\n\n
In an interview, Edward Snowden said, \u201cAssume your adversary is capable of one trillion guesses per second.<\/a>\u201d<\/p>\n\n\n\n This was back in 2014, and this post was written in 2019. We can assume they have gotten faster. For this article, I\u2019m going with a worst case scenario of 10 trillion guesses per second. It\u2019s hard to get an exact number because the people with these machines don\u2019t brag about them to the public. <\/p>\n\n\n\n To put this in perspective, your average Joe wouldn\u2019t be at 1\/100th this power. We really are dealing with the worst case scenario. <\/p>\n\n\n\n Before we do the math, we need to know what characters are being used. <\/p>\n\n\n\n We\u2019ll be using English characters. This is 26 lower case and 26 upper case options. We\u2019ll also use numbers 0 to 9 too. As for special characters, there is a lot of them. For special I\u2019m going to use the most common ones (!@#$%^&*) or the ones that Bitwarden password manager uses. <\/p>\n\n\n\n This means we have <\/p>\n\n\n\n For a total of 70 characters to pick from for our password. Don\u2019t worry, having more characters doesn\u2019t help much. It\u2019s the length that matters, and I\u2019ll show you why. <\/p>\n\n\n\n With 70 character possibilities and a password of 8 characters long you get\u2026 708<\/sup> = 576,480,100,000,000 possibilities. <\/p>\n\n\n\n That is a significant number for sure. But keep in mind that our machine can guess 10 trillion passwords per second. That means it would have guess every possible combination in about 58 seconds. <\/p>\n\n\n\n This clearly rules out 8 character passwords with all combinations. What about 9, 10, 11, and so on?<\/p>\n\n\n\n 9 Characters long = 40,353,607,000,000,000 possibilities. 4,035 seconds or about 67 minutes to guess all possibilities. <\/p>\n\n\n\n 10 Characters long = 2,824,752,490,000,000,000 possibilities. 282,475 seconds or about 3.27 days to guess all possibilities. <\/p>\n\n\n\n 11 Characters long = 229 days to guess all possibilities. <\/p>\n\n\n\n 12 Characters long = 16,020 days to guess all possibilities or about 44 years. <\/p>\n\n\n\n You can see why I like to say 12 character long passwords is the bottom. But we can\u2019t stop there. If you\u2019re cracking these passwords you won\u2019t need to go through all possibilities, you\u2019ll find the password before that. So I like to divide the number in half.<\/p>\n\n\n\n With a 12 character long password using 70 different character possibilities it would be safe to assume at 10 trillion guesses per second they\u2019ll get it cracked in 22 years. It probably would be sooner than that if they upgrade their cracking computer. Hopefully by that time you\u2019ve changed the password to something else. <\/p>\n\n\n\n As shown in the example above, the longer the password, the longer it took to crack. Just adding one extra character to your password made it exponentially stronger. <\/p>\n\n\n\n At 11 characters it took 229 days to guess all the possibilities. When you add one more character, it jumped to 16,020 days to guess. That is a huge increase!<\/p>\n\n\n\n Go to 13 characters, and you get 3,071 years. <\/p>\n\n\n\n 14 Characters you get 215,035 years. <\/p>\n\n\n\n 15 Characters and you get 15,052,509 years to guess all possibilities. <\/p>\n\n\n\n Just one more character makes your password exponentially stronger!<\/p>\n\n\n\n Click Here to see our password strength calculator<\/a><\/strong><\/p>\n\n\n\n At this point, you might be wondering why not make all passwords 100 characters long? I mean it\u2019s not wrong, but there are cases where it doesn\u2019t make sense. <\/p>\n\n\n\n When we get to a password that is 30 characters long you end up with 71,462,714,935,612,700,000,000,000,000,000,000 years to guess all possibilities. No one is cracking that thing in anyone\u2019s lifetime. <\/p>\n\n\n\n At 30 characters long there is no real point to go any longer for the foreseeable future. (I wonder how well this will age in 10 years?<\/em>) The hackers have higher odds of phishing the password from you or writing a virus to grab it. <\/p>\n\n\n\n The only person you\u2019re hurting is yourself if you ever have to enter that password manually. This is why I don\u2019t like to go beyond 30 characters. There are still plenty of times where you\u2019ll have to enter your password (looking at you Netflix) manually. <\/p>\n\n\n\n If you don\u2019t have to ever manually enter a password and the site allows for long passwords then go for it. If your password manager can enter it for you, it won\u2019t matter how long your password is. <\/p>\n\n\n\n All this gets thrown out the window if your password is in a plain text breach. If the site for some dumb reason stored your password in plain text, it won\u2019t matter how long it is. It\u2019s been exposed and should never be used again. <\/p>\n\n\n\n As we can see from earlier, the longer the password, the more possibilities. It\u2019s within everyone\u2019s best interest to use long passwords because if one gets exposed, we still have a ton more options to pick from. <\/p>\n\n\n\n Passphrases are passwords \u201csentences.\u201d The most common example is the \u201ccorrect horse staple battery\u201d from xkcd<\/a>. <\/p>\n\n\n\n Passphrases are great because they\u2019re long and easy to remember. If you ever have to enter a password manually, you\u2019ll find a passphrase easier to deal with than say \u201c?Ujx%MfU<8X+vGFBMNQW+\u201d. <\/p>\n\n\n\nThe Character Set<\/h2>\n\n\n\n
The Possibilities!<\/h2>\n\n\n\n
Longer Passwords<\/h2>\n\n\n\n
Too Long of a Password<\/h2>\n\n\n\n
When Length Doesn\u2019t Matter<\/h2>\n\n\n\n
What About Passphrases?<\/h2>\n\n\n\n