Why long (and random) passwords matter

I’ve talked many times about why it’s so important to use something like LastPass for password management.

Not only is important to have a long and complex password, but it’s important that you don’t reuse passwords (even with modifications) between sites.

This graphic that has been floating security circles over the past few weeks gives a good illustration of why both of these things are so important.

Brute Force Time-to-Crack

You can see that even if you have a relatively complex collection of numbers, upper and lowercase letters, and symbols, if your password is only 8 characters long, it takes less than a day to crack it.

Simply adding a single character increase the brute force effort more than 60 times! Adding two characters (10 total) increases it another 80x!

Don’t Reuse Your Passwords

There are several unknowns in this chart, but one of the most important to consider is that the attacker is starting his password-cracking attempts from a blank slate.

That is, he (or she) doesn’t have any prior knowledge of your password tendencies.

For many people, though, that’s not the case. Motivated attackers have access to large databases listing not only popular passwords, but also passwords matched to account names (usually email addresses).

Numerous databases of passwords have been leaked – some encrypted, but some in plain text. Make sure you check out Firefox Monitor (or HaveIBeenPwned.com) to see which of your online accounts have known compromises.

Not only do you need to change the passwords for these accounts, but you need to make sure that any other accounts that have the same (or similar) passwords get changed too.

Password Managers

The solution, like I’ve said before, is to use a password manager.

There are lots of good options, and many of them have a free tier, so you can keep your passwords secure without paying! Some of my favorite are:

  • LastPass – Mac, Windows, iOS, Android, browser extensions
  • 1Password – Mac, Windows, iOS, Android, browser
  • DashLane – Web app, iOS, Android
  • KeePass – Open source for Windows. Ports for iOS, Mac, Android, and others.

Whichever one you choose, simply using one regularly and letting it generate 16-26 character random passwords will keep you almost 100% brute-force proof. And if you need extra security (or you’re extra paranoid, go ahead and enable 2-Factor Authentication where ever you can!