Privacy: Should Passwords Be Complicated? Or Just Long?

You know the routine: you set up a new account and you are asked for a password. The password you choose must be suitably complex or you can let the site choose a password for you, full of numbers and special characters and impossible to remember.

What if you were to use a series of unrelated words instead of a password such as “%wT65g17&”? The Federal Bureau of Investigation (FBI) thinks that could be a better choice. They recommend combining multiple words into a long string of at least 15 characters.

For example, the site says that the passphrase “embassy praising expire owl” would take hackers 34,084,573 centuries to crack, as opposed to seconds or milliseconds for most commonly used types of passwords (e.g., 18 milliseconds to crack “december”). The site features a password generator that will generate a four-, five- or twelve-random word password, and tell you how long it would take to crack.

Why do they think this approach would work? You might picture a hacker as a guy in a hoodie, hunched over a keyboard entering password attempt after password attempt; but in reality, the bad guys actually use scripts that quickly run through massive numbers of passwords. According to the site, the method for cracking passwords might look something like this:

The hackers start with a bunch of wordlists. The top 10 million passwords is one. Also, lists of all English words, all names, dates, and so on. In less than one second, 30% of all passwords will be cracked.
The next step is to try all of the words again with common substitutions: capitalizing the first letter (december → December), making common letter-for-number swaps (december → d3cemb3r), and other common variations.
After that, they start combining the previous wordlists. Name + date (doug3251983). Name + [separator] + date (doug.3251983).

If all else fails, the final step is a brute force attack, i.e., try every combination of characters. Try a, then b, then c … eventually aa, ab, ac … eventually 6j2b#hi8, 6j2b#hi9, 6j2b#hi0, et cetera.
As the online comic strip xkcd says, “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

Of course, some sites will not let you use a password that doesn’t include capital letters, numbers and/or special characters. In that case, your best bet is probably to use a password manager. Password managers will generate secure passwords as needed and store all of your passwords for you so that you can use them across devices. Many people find this to be the easiest solution.

However, if you need to generate a password that, for whatever reason, you need to remember, you would be wise to follow the advice of the FBI and create passphrases of about four words and at least 15 characters. “mambo tango mister denim” would take 2,303,286 centuries to crack. That seems pretty secure to me!