Sophos consultant Graham Cluley got the ball rolling when he compared Outlook webmail with competitors Yahoo and Gmail. While Outlook caps its password lengths at 16 characters, he wrote, Yahoo’s upper limit is 32 and Google’s a whopping 200.
“[I]t’s a shame to see the new Outlook.com miss an opportunity to encourage the use of longer passwords,” Cluley wrote. “Anything which encourages users to choose hard-to-crack, hard-to-guess, unique passwords is good in my book.”
There are those who would argue, however, that the complexity of a password is more important than its length. A password like 123456789012345678901234567890, for example, has a 50 percent “good” rating, according to The Password Meter, a website with a tool for measuring password strength. Yet, the much shorter password $dE&aC!on has an 88 percent “very strong” rating.
Of course, a combination of a short password with a limited character set is the worst of all, although a path many users still choose, as a study of some 6.5 million passwords clipped from LinkedIn in June showed. In that analysis, researcher Francois Pesce cracked just over 200,000 numeric passwords—75 percent of them either six or eight digit passwords.
“Choosing a purely numeric password is usually a horrible idea, because even for eight-digit numeric passwords, it only takes a few seconds to generate the SHA-1 hashes for the 100 million (10^8) possible combinations,” he wrote.
There are those who argue, however, that length is more important than complexity for practical reasons. There are 94 characters that can be used to create a password on a Qwerty keyboard, explained Microsoft security expert Roger A. Grimes writing in InfoWorld. If users obeyed the rules of complexity, those characters could be used to create short passwords (eight character minimum) that are uncrackable. The problem is most people use the same 32 characters and ignore complexity.
Moreover, Grimes continued, most users follow language conventions when they create passwords. They use words, for example, that appear in the dictionary. They capitalize the first letter in the password and tack numbers to the end of it. “[A] simple hybrid attack will break most of them in a day,” Grimes declared.
“So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity,” he wrote. “For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity —at 15 characters-plus, they are all but uncrackable.”
For skeptics of the size school, McAfee offers this example. A seven-character password with at least an uppercase letter, lowercase letter, digit and symbol presents a cracker with 6.7e16 (that’s 6.7 followed by 16 zeroes) possible combinations. A longer password—15 characters—with simpler requirements—all lowercase letters and no dictionary words—presents the cracker with 1.7e21 combinations. Which do you think is easier to crack?
Of course, there are security experts who find the password debate just an interesting sideshow. Most hackers are less concerned with cracking passwords than stealing them in the form of plaintext, they maintain. No matter how strong a password is, they reason, it’ll never be strong enough if it’s delivered to an information bottom feeder on a silicon platter.