0

Possible Duplicate:
XKCD #936: Short complex password, or long dictionary passphrase?

How are long passwords more secure? The only situation in which I can accept long passwords are more secure is when someone is literally standing behind you, seeing what you are typing.

When it comes to someone using a Keylogger or Sniffer, the password length doesn't matters at all, your password will get compromised no matter what. Yet, at a lot of places I read/hear that long passwords are more secure. How?

Can someone mention some other situations in which long password will not get compromised whereas smaller will?

Community
  • 1

2 Answers2

5

Short Answer

Long, complex passwords make you less susceptible to brute-force attacks. Each time you add either an additional character set (e.g. a-z, A-Z, 0-9, special symbols, etc.) or increase the character length of your password, you're exponentially increasing the total number of possibly correct passwords (i.e. the bits of entropy), and that means it will take longer for a brute force program to guess the right one.

Note that for this to work the password must be both long and complex. The password "123456789" is nine total characters, but will likely be guessed within the first dozen or so attempts.

Mark
  • 1,320
  • 1
  • 11
  • 12
  • 2
    Also, hackers usually skip symbols when brute-force cracking passwords, because it would take too long and few people use them, except maybe for the common !@. – Matrix Jul 05 '12 at 06:17
2

If a database full of hashed passwords is compromised, the hashes for the shorter passwords are much more vulnerable to brute-force cracking. And if it's not salted, then anything up at about 14 characters is likely to be in a rainbow table and thus very vulnerable.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 1
    Exactly, the longer the password, the longer it takes to brute-force it because the number of hashes to generate increases with every letter. Dictionary attacks are different, if there is a 15 letter word in a dictionary, then using that word for a password is as secure as using "123456" (not secure at all). – Matrix Jul 05 '12 at 06:13
  • Even if it's salted, modern GPU cracking can achieve almost 50 billion MD5 hashes per second using off-the-shelf hardware. For a 10 character random alphanumeric password, that's an average cracking time of 10 hours. For 11 characters, it's 15 days. The only solution is a slow, tweakable hash algorithm like bcrypt or PBKDF2. – Polynomial Jul 05 '12 at 12:25
  • And for 16 characters, it's two and a half million years, using your own assumption of a times 36 increase in difficulty with an extra character. In practice, of course, that means it lasts until better hardware comes along, but well-chosen passwords of 16 characters or more are still effectively uncrackable. – Mike Scott Jul 05 '12 at 13:00
  • I dont know the exact number of available characters or things about hashed or salted, but isnt it the following calculation kind of true (depending on set parameters); 26 characters in the alphabet x2 make 52, +10 numbers, +10 (not sure) other symbols make 72 possible characters. So a password of 9 without restrictions to what to use could in theory be one of 72^9 versions? Actual will be lower because of common restrictions and requirements? – johan vd Pluijm Nov 29 '17 at 14:12