How long your password needs to be to really thwart hackers

The easiest way to upgrade your security: Add more characters to your password

Time and again we've seen that the username-password model of security isn't very secure. In its latest expose, Ars Technica showed how 90 percent of passwords are quickly made mincemeat. But until we have electronic tattoos and password pills, we're stuck with the same-old password problem. How do you make your password more secure?

The easiest answer is to just make it longer. While 6-character passwords containing mixed characters and numbers might once have been considered secure, crackers these days can guess them in minutes using brute force, thanks to improved technology. According to the Ars article:

Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.

Longer passwords of seven to eight characters takes more time, but not that mich more time. Mere seconds, in fact.

The good news is that, as of current technology, passwords 11 or more characters long are exponentially harder to crack by brute force. So Ars' recommendation to readers is to: "make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern." To make your password even stronger: make it as long as possible (at least 11 characters), truly random, and avoid dictionary phrases too. Yes, that even includes "correct horse battery staple."


A password manager, such as LastPass, 1Password, KeePass, and Apple's new built-into-Safari password manager can help generate a long and strong password for you and save it for future reference, so you don't have to keep doing that whole password reset dance and can keep hackers out of your important accounts.

Read more of Melanie Pinola’s Tech IT Out blog and follow the latest IT news at ITworld. Follow Melanie on Twitter at @melaniepinola. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon