Skip to main content
Security Scorecard

Password Complexity Analyzed

Posted on October 8th, 2018

Experts traditionally agree passwords with more characters are more likely to be secure than those with fewer, even when those shorter passwords are technically more “complex”. Of course, longer passwords comprised of simple or easy to guess words are less likely to fall into this consideration. In 2017, the U.S. National Institute for Standards and Technology updated its password guidance advocating for longer “pass phrases” as opposed to shorter combinations of letters and numbers..

Of the more than 30 million hacked passwords we analyzed, 1 in 4 were exactly eight characters long. Still, even slightly longer passwords were exposed in large amounts. Nearly 13 percent were 9 characters long and more than 1 in 10 were 10 characters long. Accounts that were 11 characters or longer were the least common and the least likely to be exposed in this particular data breach according to our analysis.

While passwords that were uniquely short (between four and five characters) were also less likely to be exposed, many websites require passwords to be at least eight characters in length.

With so many requirements for secure passwords and sites that force you to update you login information on a routine basis, remembering passwords can be difficult. This struggle has even inspired software developers and tech companies to incorporate automated password management into their operating systems.

Still, some users may feel tempted to incorporate easy to remember words or phrases into their passwords to help make remembering them as easy as possible. In some cases, this includes matching your username as closely as possible to your password. While many sites won’t allow an exact copy and paste of the account user name into the password field, some users add subtle variations on their usernames to bypass these requirements. While convenient, this may be one of the most popular and dangerous password trends.

What makes a password more secure today isn’t necessarily how long it is or how many combinations of letter or symbols you use, it’s the guessability that really matters.

Complicated passwords often carry risks of their own. Because these amalgamations of words, symbols, and numbers are generally harder to recall than common words or phrases, they’re more likely to be written down in order to to remember them. Of course, password storage applications aren’t always the best solution and pose certain risks themselves.

And even if a site requires upper and lower case numbers, digits, or even symbols, most people have tendency to capitalize the first letter and add the numeral at the end making their passwords even easier to guess. Of the 30 million breached passwords we analyzed, nearly half were classified as “very guessable” requiring less than 1 million guesses by a software generator to expose. An an example of a “very guessable” password would be something like “iloveyou123” where none of the letters were capitalized the numbers were added in a consecutive nature. As this calculator helps visualize, brute force password hacking softwares often process millions of combinations every hour.

Of the passwords exposed in this breach, less than 7 million combined were either safely unguessable (like “123iloveyou123?”) or very unguessable (“MypasswordisiloveYou123”) requiring 10 trillion guesses or more to crack.

Return to Blog
Join us in making the world a safer place.