Which is better for password security, length or complexity?

henyfoxe

Debate over coffee this morning was which is superior, a password that is very lengthy (15+ characters) or very complex (use of symbols like #,$,%,^)?  I realize that either are far superior to the average password, but which would be the more secure choice?  

Topic: Security
Answer this Question

Answers

4 total
jimlynch
Vote Up (25)

I suggest using both. Why do just one or the other? Make your passwords as difficult as possible for somebody to mess with.

Here are some links on how to create strong passwords:

Create strong passwords
http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Password Protection: How to Create Strong Passwords
http://www.pcmag.com/article2/0,2817,2368484,00.asp

How To Create Strong Passwords That You Can Remember Easily
http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-...

dblacharski
Vote Up (25)

Ahh, the never ending debate! If you use an app to keep track of passwords, you can do the long/complex thing pretty easily. But if you need strong passwords that are also something you can recall from memory, you might want to try taking song lyrics, and use the first letter of each word. For example, "Yankee doodle went to town, riding on a pony. Stuck a feather in his hat and called it macaroni," would be Ydwttroap!safihhacim! I added the exclamations because a rousing song like that just demands them, and it adds slightly to the security of the p/w. That should be a handful for most brute force attacks to handle, yet it remains easy to recall without the need for a password manager. Different songs for different accounts is also wise. I find Rage Against the Machine works well for banking!

decibel.places
Vote Up (25)

Why not use both complexity and length?

 

I use the KeePass app to save login info and copy it between my laptop and phone, and desktop when I use one. I use it because I possess the data, it's not in the cloud somewhere - I also have it on a USB stick (and yes, it is password-protected too). Some devs will give you an exported KeePass db and its password separately when transferring sensitive logins (db connections, superusers etc).

 

KeePass also tells you how secure a password is before you save it:

 

DxitLOazKJEGvjo 15 letters is 86bits

8ZzEm6IMON4H0su adding numerals is not much more secure, 87 bits

jIsrk;QRlq8@&Bi adding special characters is 99 bits

 

C1!x0 reducing that to 5 characters it's 32 bits

kNJWt letters only is 29 bits, so for a short PW the complexity is not adding much

 

explain xkcd says length is more important than complexity; and that was demonstated by my examples

 

more info on Wikipedia

 

 

 

 

 

 

 

sandeepseeram
Vote Up (20)

Strong Passwords should have

- a combination of upper case & lower case

- numbers

- special characters

 

Length: 8-15

 

 

Sandeep Seeram

Ask a question

Join Now or Sign In to ask a question.
A type of body scanner in wide use across U.S. airports through last year fails to spot well-concealed weapons including guns and knives, computer security researchers contend.
A modified version of Android uses a system of modularized plugins to help make sure the latest security tools make it into the hands of end users as quickly as possible.
The UPS Store said Wednesday that malicious software was found on the systems of 51 of its franchises in 24 U.S. states, although no fraud has been detected yet.
Start-up SentinelOne is offering security software for behavior-based malware detection intended to augment, not replace, the type of full anti-virus endpoint protection suites that typically also have signature-based defense, a firewall and other features.
A type of malware called Reveton, which falsely warns users they've broken the law and demands payment of a fine, has been upgraded with powerful password stealing functions, according to Avast.
An analysis by security researchers of 48,000 extensions for Google's Chrome browser uncovered many that are used for fraud and data theft, actions that are mostly undetectable to regular users.
University and vendor researchers are congregating in San Diego this week at USENIX Security '14 to share the latest findings in security and privacy, and here are 5 that jumped out to me as being particularly interesting.
Nearly all of Facebook's outbound notification emails are now encrypted while traveling the Internet, a collaborative feat that comes from the technology industry's push to thwart the NSA's spying programs.
Many former employees retain alarming levels of access to critical business applications after they've stopped working for a company, a survey for cloud services firm Intermedia has claimed.
Symantec will consolidate its cluttered Norton line of security software, folding nine products into one online service that can be used across desktop computers and mobile devices.