Passwords: Length vs. complexity

* Reader's thoughts: Password length vs. complexity

A few weeks ago, I mentioned a contest that InfoWorld columnist Roger Grimes was having to prove that long passwords are just as good or better than complex passwords. Today, in a vacation edition of Virus and Bug Patch alert, I bring you responses from our subscribers on the issue of complexity vs. length.

But first, an update on Microsoft's "Patch Tuesday":

Microsoft fixes PowerPoint, Windows flaws

Microsoft has issued nine security updates addressing critical flaws in its Office and Windows products. The updates patch two worrisome PowerPoint flaws that could allow attackers to seize control of a PC, the company said Tuesday. IDG News Service, 08/09/06.

More information on the security updates can be found here.

Now on to our reader's thoughts: Password length vs. complexity

Ken S. writes:

"Your question of which is better complexity or length or both brings up some interesting perspectives. I believe it is both, but also in my opinion feel that by human nature there is a diminishing return at a certain point of both as well. I'm not sure I know what that point is, but I feel at a certain length and complexity the human nature of the user will take over and they will look for ways to circumvent the password, by either writing it down or finding a way to store them in clear text on their workstation or key fob. How strong is a long complex password in clear text posted on the terminal or transmitted across the network in the clear?"

Ken's right - any password left on a workstation or in the open is useless, no matter what the length or complexity.

Michael W. chimes in with:

"I'll weigh in with long being better than complex, and there are a couple of reasons.

1. Long passwords (non complex) are easier to remember and easier to type for everyone. I'd much rather type 'loginpasswordtoadministerserver' than '#@dm1n_4_5erv3r'. Nobody would forget their passwords, and we could remove the 'personal data' restrictions that we have now: 'mydogsnameisrover', 'myanniversaryisaugust82006' ... (long and mildly complex!)

2. Using unencryption routines, it doesn't matter if the password is complex or not. It only matters if you use a library attack first, before using a more complex method. At the point where the unencryption attack comes into play, it is strictly a matter of length of the password, not how complex it is. A longer password always takes longer to crack than a short one, complex or not.

Thanks for keeping us all thinking!"

My dog's name is Henry, so I that leaves me from using "mydogsnameishenry."

Kevin Z. says keep it simple:

"I've said this to many of my friends and co-workers. Utilize both complexity and length, but keep it simple. As we say in the military: KISS - keep it simple stupid.

Find a word, or saying, or something familiar to you. Then substitute numbers and other symbols for letters within your password. I'm sure you've seen this, but many users I've explained this to think it's great.

Example:

Jonny B. Goode = j0nny8g0Od3!"

That's pretty sw33t, if I say so mys31f.

Mario M writes:

"I prefer lengthy passwords that are easy for me to remember. I use a combination of words and numbers. In reality there are only 4 words and one set of numbers that I use in different combinations. My most basic password is 9 characters; the longest is 19. Of course, this is within the limits of the application or service that I am using. I have discovered, with some distress, that some sites that require money transfers limit me to 8 characters and/or they are case sensitive. Remembering which letter is uppercase is a lot more work for me than remembering a possible combination using the 4 words and number that have a meaning for me. When I forget a password I know I can rely on the combination of the 4 words and numbers that I use. Should I ever feel compromised, I can select another set of words and a number that will be easy for me to remember. I recently changed the password to my primary e-mail account and for the first week I had to pay attention to what I typed. Afterward, it was second nature to me."

Four words used in random combinations sounds like a good plan for remembering. Better than using the SAME password for just about everything you do.

Brian K.'s answer:

"I contend that it is the combination of complexity and length that makes a strong password. Neither one alone will withstand attack.

While I agree that length greatly increases the number of actual number of possible passwords (mathematically), I do not agree that stringing together a series of words increases cracking time. The reason is that words and phrases can be inferred from their parts.

1. thequick*****fox*****over*******dog

2. happy********

3. merry*********

4. maryhada**********

In each example, the rest of the password can be guessed in seconds, making a password like #2 (happybirthday) brute-force cracked in under 26^5 attempts instead of 26^13."

What if you wrote each phrase in Pig Latin?

Allan M says:

"Both and with a minimum length only. Specifying exactly (10 or otherwise) limits the possibilities considerably. Imagine the difficulty a hacker would have if all passwords were variable length (with a minimum) and then padded to 128 or 256 bytes before being encrypted."

Katherine K. writes:

"I think both are best. A colleague uses one method which I haven't done myself yet but sounds excellent. He uses sentences since space is an allowed special character. Using sentences makes it easier to create longer passwords that are easy to remember but are probably much harder to guess."

Here's a password then: "Network World is great" or "I love the beach."

Finally, Scott W. gives a long-form answer:

"Grimes is right on when he suggests that length is more of a factor than complexity. Attached is a graph showing how quickly three password character sets grow in possible combinations (logarithmic scale). I throw in a dictionary word set to illustrate another point about memorability.

I (personally) don't find a simple/long password any less daunting than a complex password, because for both to be effective the characters have to be somewhat randomly ordered. Even if we reduce the set of characters to 28 (lowercase alphas plus space and period), a long random string of those isn't much better than a slightly shorter but more complex password.

A "simple" password should be memorable, possibly using some word combinations (e.g. PayPal's password generating system used to be two dictionary words glued together with a couple of punctuation or digit characters--it may still be).

When this is the case, the "character set" (each word in the lexicon effectively becomes a character) is about 50K and has a solution space that grows much more quickly than single character password sets.

That is, a password that uses random 5 dictionary words (5-7 characters each) is roughly as strong as a 16 character password from a randomly generated small (28 char) set. Adding one more word (6 words) is roughly equivalent to a 19 character (28 char set) or 14 character (95 char set).

Character for character, however (this is where the graph is misleading), the dictionary set is far longer (25-35 total characters) than the 19 random characters from the small set, but the dictionary set will likely be far more memorable than random characters, which a good password should be. Throw in an intentional typo or two with a 4-word passphrase and you've got yourself a statistically tough one with few wasted brain cycles.

Fwiw, the old PayPal system (2 medium length dictionary words plus 1 random character) has a solution space roughly that of a 5 character complex password (that is, not very strong)."

Thanks to everyone that wrote in. We'll be back to our normally scheduled programming next week.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT