The next time you’re forced to make a password—especially if a site requires you to use a crazy combination of uppercase and lowercase letters, or a number, or a symbol—don’t assume that these attempts at obfuscation automatically mean that your password is incredible and secure.
Randy Abrams, a senior security analyst at Webroot, ran some simple tests. He counted up all the potential passwords you can create in an eight-character password, including numbers, uppercase and lowercase letters, and symbols. (That’s 95^8 possible combinations, which comes out to 6,634,204,312,890,625, or 6.6 quadrillion numbers.)
Let’s assume that someone is trying to figure out your password with a typical brute-force attack. Assume they can test about 31 billion passwords per second. Cracking their way through your reasonably complicated eight-character password could take, at most, 212,903 seconds. That’s 3,548 minutes, or roughly two and a half days.
Now, let’s talk about constraints for a minute. Assume that the service you’re using requires you to have an eight-character password. Abrams notes that takes 70.6 trillion passwords out of the mix, since every password from a single character long to seven character long is now invalid. That saves the cracking tool a whopping 2,277 seconds, or nearly 38 minutes. That’s not too bad.
What if, in the name of security, you use an eight-character password (for memorization) and a service forces you to use uppercase and lowercase letters, as well as symbols. That’s more secure, right? It’s a more complex password, which makes it harder for an attacker to decipher? Not quite. As Abrams notes, you’ve just cut the pool of potential passwords by 18.5 percent, removing items like all-lowercase passwords, for example. Two days, maximum, for a system to sniff out your password in our scenario.
If a service also requires you to have a number in this password—and you take its advice and just do that, keeping your “complicated” password at a mere eight characters—you’ve cut the potential passwords a brute-force tool needs to guess by roughly 41 percent. In our scenario, that shortens the maximum time to 34 hours, or just under a day and a half.
Instead of worrying about the best way to make your shorter password harder to guess or brute-force, Abrams advises that it’s a lot better to pick a longer password, because even if a service has password constraints, they’ll have much less of an impact: