Let’s be honest. Passwords are a hassle. If you spend a lot of time on the computer, either for your job or for relaxation, it’s likely you have many passwords.
Banks, forums, social media sites, hobby sites, news organizations, and gaming sites are just a few of the many passwords you may use during a typical week.
One of the hassles is the oft-repeated mantra to use plenty of symbols, capitals, punctuation and numbers in your password. Does all this alphabet soup really help? In general, complex passwords are harder to crack than simpler ones. And long passwords were thought to be more secure than shorter entries. Is that true?
Ars Technica recently took a close look at password security. Earlier this year, they examined the password rules at several firms. These companies tell their employees to follow a strict set of guidelines when creating passwords. For example, Charles Schwab has a maximum number of characters of eight. Evernote tells employees they can enter any character they want, just no spaces.
Then they examined different studies on password construction and length. In one study, the researchers fired two different cracking algorithms at 12,000 passwords. The report indicated two results. Frustration goes up the more complex a password is, but not so much with how long it is. Interestingly, the other thing they found was that some long, simple passwords were more secure than shorter, complex ones. In other words, password cracking pros are actually better at breaking short, complex passwords in many instances.
Well now, what about all that advice to make your password so complex it resembles a word from the Klingon dictionary? Why were long passwords often more secure, even if they were simpler in nature. One theory is that because not many sites require long passwords, the cracking algorithms do not have enough data on which to guess the password. Another idea is that the universe of long passwords is inherently larger, so even basic long passwords are less common than many short passwords.
Password rules required by websites and companies are all over the board. Sixteen characters is often a maximum number allowed, rather than a minimum, which would be inherently more secure. The Ars Technica data indicates long, simple passwords can be more secure than short, cryptic Klingon-alphabet passwords. So the next time you are entering a password, go long, not short.