Length Versus Complexity: The Great Password Debate Rages On

Microsoft tossed some fire starter on an ongoing debate about passwords when it launched its Hotmail replacement, Outlook.com., last month.

Sophos consultant Graham Cluley got the ball rolling when he compared Outlook webmail with competitors Yahoo and Gmail. While Outlook caps its password lengths at 16 characters, he wrote, Yahoo’s upper limit is 32 and Google’s a whopping 200.

“[I]t’s a shame to see the new Outlook.com miss an opportunity to encourage the use of longer passwords,” Cluley wrote. “Anything which encourages users to choose hard-to-crack, hard-to-guess, unique passwords is good in my book.”

There are those who would argue, however, that the complexity of a password is more important than its length. A password like 123456789012345678901234567890, for example, has a 50 percent “good” rating, according to The Password Meter, a website with a tool for measuring password strength. Yet, the much shorter password $dE&aC!on has an 88 percent “very strong” rating.

Of course, a combination of a short password with a limited character set is the worst of all, although a path many users still choose, as a study of some 6.5 million passwords clipped from LinkedIn in June showed. In that analysis, researcher Francois Pesce cracked just over 200,000 numeric passwords—75 percent of them either six or eight digit passwords.

“Choosing a purely numeric password is usually a horrible idea, because even for eight-digit numeric passwords, it only takes a few seconds to generate the SHA-1 hashes for the 100 million (10^8) possible combinations,” he wrote.

There are those who argue, however, that length is more important than complexity for practical reasons. There are 94 characters that can be used to create a password on a Qwerty keyboard, explained Microsoft security expert Roger A. Grimes writing in InfoWorld. If users obeyed the rules of complexity, those characters could be used to create short passwords (eight character minimum) that are uncrackable. The problem is most people use the same 32 characters and ignore complexity.

Moreover, Grimes continued, most users follow language conventions when they create passwords. They use words, for example, that appear in the dictionary. They capitalize the first letter in the password and tack numbers to the end of it. “[A] simple hybrid attack will break most of them in a day,” Grimes declared.

“So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity,” he wrote. “For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity —at 15 characters-plus, they are all but uncrackable.”

For skeptics of the size school, McAfee offers this example. A seven-character password with at least an uppercase letter, lowercase letter, digit and symbol presents a cracker with 6.7e16 (that’s 6.7 followed by 16 zeroes) possible combinations. A longer password—15 characters—with simpler requirements—all lowercase letters and no dictionary words—presents the cracker with 1.7e21 combinations. Which do you think is easier to crack?

Of course, there are security experts who find the password debate just an interesting sideshow. Most hackers are less concerned with cracking passwords than stealing them in the form of plaintext, they maintain. No matter how strong a password is, they reason, it’ll never be strong enough if it’s delivered to an information bottom feeder on a silicon platter.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe


  1. David Black · September 15, 2012

    Of course, the longer, the better but 16 characters, if used properly, are enough for a moderately secure password. Longer passwords are a burden for the user and when hackers manage to steal passwords, it makes no difference if the password is 6 or 60 symbols, so 16 characters is an acceptable trade-off.

  2. Kevin · September 19, 2012

    Creating a very strong password is actually not that easy. First it should be a combination of both length and complexity. Second, even if it’s “complicated,” it’s something you can never forget. Otherwise, it may be difficult to retrieve your password or worse you may never get it ever again, especially if you don’t have an alternate e-mail address where the new password may be delivered. Third, it’s ideal if you don’t use the same password to all your login accounts. It’s very easy for hackers to open the rest once he get to use the correct password in any of your accounts.

  3. Stephanie Lawson · September 19, 2012

    As for me, it doesn’t really matter if it’s long or complex. The most important thing is it’s hard to decipher. But there’s one potential issue with that one. Like what happened to me a few months ago, I forgot about my new password because it’s too long and complex. The good thing is I still remember the answer to my security question. I also don’t believe in that meter thing, though it has a good point. It’s also important for everyone to change their passwords regularly, like every 3 months and NEVER SHARE THEM WITH OTHERS, even to supposed friends and family members. After all, your e-mail is your personal space.

  4. Mark Williams · September 23, 2012

    I think that the best password is a mixture of both. On its own, every one of them is actually good. But I think it’s also essential to remember that the reason why you have passwords is because you don’t want others to intrude into your virtual privacy. So you shouldn’t just hide the key underneath the flower pot. In other words, you don’t make things easy for the hackers to decode your password. Alphanumeric with some special characters (if the login process allows it) is for me the most ideal. Skip the birthdays, name of your sweetheart, pet’s name, phone number, anything that is immediately relatable to you.

  5. Bryan · September 23, 2012

    The last line in the image above basically gives us the best idea of what a strong password is. It should be composed of not only letters but also numbers. In fact, we should also throw in some string of characters into the mix. Why? Because hackers these days are so smart. Believe me when I say that they do have special tools that can decode your password, especially if they’re short. And listen to email creators if they say you should avoid using your name or whatever personal information you has as a password. Also, clean cookies particularly if someone uses your PC or laptop.

  6. Deborah Kern · October 1, 2012

    I like a combination of both. After all, the main purpose of having a password is to prevent anyone from accessing your private account. However, more than the creation of the password, people should also learn to safeguard it. Once someone gets to see or know about it, the strength of the password goes out the window, and your account becomes open to a lot of risks. I know some people may tell you to keep a list of passwords and store it in places others do not know, the best decision is to still not write it in anything.

Leave A Reply