Password Complexity Misses the Point

Password “strength” is often just a function of complexity, or the amount of randomness in a password, measured by the use of symbols, numbers, and upper and lowercase. But adding a few different characters to your password doesn’t meaningfully increase its “strength,” despite what that deceptive green “strength” bar next to your password suggests. Complexity increases the difficulty of a brute force attack, but that sort of attack is uncommon. Instead, credential theft happens in massive data heists or leaks from large organizations. Password strength won’t help you if the attackers have your password in plain text.

Use Unique Passwords

Most folks are hugely vulnerable to something called “credential stuffing”: compromised credentials are tried on popular platforms to exploit the human tendency for password reuse. That’s a far greater danger than a “weak” password. After all, one “super strong,” completely random password reused on every platform would become disastrous after one leak. Rather than thinking of password strength as a singular property, we need to think of the strength of your authentication system. Modern passwords create that system and must be considered as such. Using unique passwords is far easier with a password manager, so get started with one today if you haven’t already.

Length Is More Important than Complexity

For years we’ve been trained to think of complexity as a password’s most important factor. And while we know brute force attacks are rare, complexity isn’t even the best defense against brute force cracking: length is actually far more important. Password length has an exponential relationship with cracking time, so moderate increases in length can yield massive increases in cracking time. Complexity, on the other hand, has a more linear relationship with cracking time. Take this example: A high-performance cracking machine can break a complex-looking password like *nRyU86) in as little as eighty minutes. Increasing the length by a single uppercase letter stretches that time to nearly thirth-six hours, while changing a letter to a symbol provides no meaningful change in cracking time. Let’s take full advantage of length’s exponential powers. What about a four-word passphrase, using known dictionary words and totaling sixteen characters in length? Even when accounting for dictionary attacks (attacks that use a database of known words to guess passwords instead of randomly generating guesses), it would still take ninety billion years to crack the password. Forget complexity. The best passwords are actually pass-phrases. You could never remember a similarly-strong complex password. But brains love funny stories and surprising images. If you generate an absurdly memorable story for a randomly-generated phrase, you’ll have a hard time forgetting it. Truly random pass-phrase generation is critical. Choosing words related to yourself, like your birth month, will make the passphrase easier to guess. Use EFF’s Password Dice to generate random pass-phrases safely and securely.

Turn on All Two-Factor Authentication Systems

All systems leak. Password strength won’t save you. So how can you defend yourself? Two-factor authentication (2FA) systems provide an extra layer of security. 2FA asks for two types of credentials: something you know (i.e. your password) and something you have (i.e. your phone). In most 2FA systems, these codes are generated by a remote server. The server sends the active code to the user at login time. Unfortunately, attackers can intercept SMS codes with relative ease through SIM-card cloning. To prevent this eavesdropping, generate codes on your mobile device with a 2FA app like Authy, Google Authenticator, or a password manager with 2FA support like 1Password.

Conclusion

The “strength” of a single password is a red herring. A strong system of authentication is more important. Leaks and data theft inevitably happen. Unique passwords keep the damage contained. Two-factor authentication can reduce the damage of stolen credentials to zero.