Long Passwords Versus Complex Passwords: Which Is Superior?

Let's face it, when it comes to login authentication, there isn't a more used tool than the good old password. It doesn't matter if you're trying to login into your email account, your smartphone, your PayPal account, or your World of Warcraft account, wherever you're going you're going to use a password, and it's probably weak. The problem is that the average user uses predictable patterns, words, or dates and almost never changes it. As a consequence, most websites and apps have added requirements towards user passwords. These days you can't create a password without fulfilling a minimum length requirement, as well as use upper and lower case letters, symbols, and/or numbers, and for good reason. Whether you are aware of it or not, most websites, accounts (like your bank account), social networks, and e-mails are probed and tested by malicious third parties on a daily basis. It's not just you who is affected either, a single hacked account can be the gateway for a whole campaign, such as phishing email scams that are all but commonplace in recent years. In this day and age, secure passwords are more important than ever.

But which is more important, length or complexity?

Complexity is more often than not regarded as a key aspect of a secure password. A random collection of numbers, letters, and symbols looks like the best defensive measure against hackers. Malware using dictionary-style hacks can't figure out what word or word combination you used in such a configuration, but are they truly the most effective defense against all hacking attacks? Short answer: no. Because users tend to think the more complex the password, the less likely it is an attacker can figure it out, they often create short passwords. Because of this, a malware tool can brute force its way through your security by rapidly attempting all possible key combinations until it gets lucky. This sort of brute force tactic was used to hack iCloud and leak the private photos and information of hundreds of celebrities. Such methods have become increasingly effective thanks to the increase in short, but complex passwords, because most users cannot remember strings or random numbers and symbols they tend to use predictable patterns such as adjacent keys or consecutive numbers.

Lengthy passwords seem necessary then, don't they? The longer the password the greater the so-called "password entropy", a measurement of how unpredictable a password is. Basically, each extra key added to your password increases its uncertainty and makes it more secure.

"When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements.  To further this point, if you're using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password's length.  To say it another way, a password that is 16 characters long made up of only numbers provides the same level of difficultly-to-crack as an 8 character password made up of the possible 94 possible characters," a Microsoft TechNet blog notes.

So what is the optimal length for a reasonably secure password? The Georgia Tech Research Institute conducted a study back in 2010, which discovered a minimum of 12 random characters could be the minimum length for adequate security.

However, don't be lulled into a false sense of security just because your password is 35 characters. While it's true that the longer a password the better its password entropy is, and that long phrases might be simple to remember than random numbers and symbols, it's also true that people tend to use familiar words and phrases, such as names, dates, events, etc. While these familiar words and phrases might help you remember your password, they also make it that much easier for a hacker to figure out.

Other factors

Rest assured that even the most secure password will not be effective if you write it down and keep it where someone might find it. Other bad habits like saving your password to browsers should be avoided by users as well. Whatever you do don't share your password with anyone, and remember that it's important to change your password frequently.

In conclusion

It looks like the best choice is a long string of random letters, numbers, and symbols, basically the best of both worlds. Additionally, security experts recommend the addition of upper and lower case letters, spaces, intentional misspelling, punctuation and other tricks. No password is 100% secure, but following these guidelines will increase its strength.