Password Complexity

January 25, 2025

We've all seen the annoying password requirements. "You must use capital letters, lowercase letters, numbers, and symbols." Supposedly, it makes it harder to guess your password. But is it really more secure? Nope, it's all nonsense!

The idea sprung from a non-techy bureaucrat in 2003 named Bill Burr. He was writing technical guidelines, and thought it would just "make sense" if passwords had a mix of characters in them. Years later, he came out with his "I was wrong" statement. Unfortunately, we're still plagued with bogus password complexity requirements.

So what is it that really makes a good password? Length! Sure, your password shouldn't be "password" or some other simple word that's easy to guess. But making a password that's not easy to guess is, well, easy. The harder part is making a password that's difficult for an automated program to derive. And that's all based on length.

A program that's going to iterate through all of the possible passwords to try to brute force guess what your password is, is simply going to cycle through all of the available characters. As an example, a password like "f+G49&jQ" is no more difficult for such a program to uncover than "password", because they're both 8 characters. Such a password would take an automated script approximately 3 days to guess.

Every time another character is added to the password, it becomes exponentially more time consuming for an automated process to guess the password. A password that's 9 characters instead of 8 will take many months instead of 3 days. Once you get to the point of a password length 20 characters, you start to measure the password cracking time in centuries.

So what is it that makes an ideal password?

First, it needs to be hard for a person to guess. That means don't make your password "password", or your birthday, or your middle name or something basic like that. This part we already know.
Second, it needs to be hard for a computer to guess. That doesn't mean complex, that means long. A phrase of multiple words is ideal.
Third, it needs to be easy for you to remember. If you can't remember it, you're likely to write it on a sticky note or somewhere equally unsecure.

The best way to generate a password that fits all of the above would be to take two of your hobbies, pick two words related to those hobbies, and smash them together into a phrase. If you like football and woodworking, then something like "TouchdownMortiseSafetyLathe" would be ideal. And because we still have to deal with those pesky complexity requirements of various sites, you might have to slap the number one and an exclamation point on there somewhere just to make the site happy.

Oh, and those requirements to rotate your password periodically? They're no good either.

Sign Up!

Enter your name and email address below, and receive these excellent bit of helpful info on a regular basis.