After recently spending time creating an application to take words or phrases and turning them into password suggestions, I thought I would share.
Long passwords are in general more secure than short ones. However, it all depends on the composition of a long password. It is much easier to remember a long phrase than a short, random password.
It turns out that most computer users have been taught to use passwords that are hard for them to remember. But, those types of passwords are actually easier for programs to figure out. So, why bother with random passwords at all?
Take the following password phrase and change it up a few ways:
This is a test – plain text
Th1s1s@t3st – change i to 1, a to @ and e to 3
testisThisa – shuffle the phrase
#06Thisisatest17* – add #month and year* to the phrase
#06Tiat17* – first letter of each word
What we find, is that the first and fourth passwords are the strongest and are easy to remember.
Using a password strength tool like zxcvbn, the results are below. This tester checks the characters in the password and also looks up words in a large dictionary. In the first example, a computer would have to check up to 1,000,000,000,000 (10^12) different guesses to find the correct phrase.
This is a test = 10^12 guesses, score 4 of 4 (14 characters)
Th1s1s@t3st = 10^9 guesses, score 3 of 4 (11 characters)
testisThisa = 10^8 guesses, score 3 of 4 (11 characters)
#06Thisisatest17* = 10^16, score 4 of 4 (17 characters)
#06Tiat17* = 10^10, score 3 of 4 (10 characters)
You can see a direct relationship between the length of the password and how hard it is to guess.
Microsoft limits passwords from 8 to 16 characters.
Yahoo use to allow really long passwords but now 32 characters is the maximum.
So, the recommendation is to use a phrase you can remember easily, but, not one that others would know about. For Microsoft logins or emails, you will have that 16 character limitation but you can use a long phrase and just pick the first letter of each word, then add text to both ends of the result. If you use something like month and year above then your phrase can be up to 10 words long. Be sure to include upper and lower case words.
For more information on zxcvbn which was created by a programmer at DropBox, click here.
For another password test page, click here.