Which is better for password security, length or complexity?


Debate over coffee this morning was which is superior, a password that is very lengthy (15+ characters) or very complex (use of symbols like #,$,%,^)?  I realize that either are far superior to the average password, but which would be the more secure choice?  

Topic: Security
Answer this Question


4 total
Vote Up (25)

I suggest using both. Why do just one or the other? Make your passwords as difficult as possible for somebody to mess with.

Here are some links on how to create strong passwords:

Create strong passwords

Password Protection: How to Create Strong Passwords

How To Create Strong Passwords That You Can Remember Easily

Vote Up (25)

Ahh, the never ending debate! If you use an app to keep track of passwords, you can do the long/complex thing pretty easily. But if you need strong passwords that are also something you can recall from memory, you might want to try taking song lyrics, and use the first letter of each word. For example, "Yankee doodle went to town, riding on a pony. Stuck a feather in his hat and called it macaroni," would be Ydwttroap!safihhacim! I added the exclamations because a rousing song like that just demands them, and it adds slightly to the security of the p/w. That should be a handful for most brute force attacks to handle, yet it remains easy to recall without the need for a password manager. Different songs for different accounts is also wise. I find Rage Against the Machine works well for banking!

Vote Up (25)

Why not use both complexity and length?


I use the KeePass app to save login info and copy it between my laptop and phone, and desktop when I use one. I use it because I possess the data, it's not in the cloud somewhere - I also have it on a USB stick (and yes, it is password-protected too). Some devs will give you an exported KeePass db and its password separately when transferring sensitive logins (db connections, superusers etc).


KeePass also tells you how secure a password is before you save it:


DxitLOazKJEGvjo 15 letters is 86bits

8ZzEm6IMON4H0su adding numerals is not much more secure, 87 bits

jIsrk;QRlq8@&Bi adding special characters is 99 bits


C1!x0 reducing that to 5 characters it's 32 bits

kNJWt letters only is 29 bits, so for a short PW the complexity is not adding much


explain xkcd says length is more important than complexity; and that was demonstated by my examples


more info on Wikipedia








Vote Up (20)

Strong Passwords should have

- a combination of upper case & lower case

- numbers

- special characters


Length: 8-15



Sandeep Seeram

Ask a question

Join Now or Sign In to ask a question.
Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.
Malicious hackers are using remote access tools to break into retail point-of-sale systems and plant malware on them, the Department of Homeland Security warned.
A new program that encrypts files to extort money from users highlights that attackers don't need advanced programming skills to create dangerous and effective ransomware threats, especially when strong encryption technology is freely available.
Privacy campaign group Europe-v-Facebook is inviting Facebook users outside the U.S. and Canada to join a lawsuit against the company, which it alleges violates privacy laws.
The team at Mitro Labs, the developer of a password manager, is joining Twitter, and its software is being released under a free and open source license, Mitro said Thursday.
The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.
Some of those seeking to scrub their histories from the Web under Europe's "right to be forgotten" rule are being economical with the truth when making their requests, Google said Thursday.
Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.
A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.
Hackers attacked the infrastructure of Tor, the anonymizing service, earlier this month in an incident that may have compromised a number of hidden services, according to an announcement posted today by the Tor Project's director, Roger Dingledine.
Join us: