Password Security: Is Length or Complexity More Important?

It’s no secret that poor password choices can severely compromise your safety online. For example, recent research into the most common passwords worldwide shows that many people still use high-frequency and well-known passwords.
You probably wouldn’t leave your shiny new iPhone on a cafe table secured with an obvious passcode of ‘1234’ or ‘0000,’ would you? Of course not, mainly because it would be a poor way to prevent phone hacking. Yet many of us choose questionable passwords for our digital lives.
Despite the warnings and guidance from security experts, it seems there is still a lot of confusion around good digital hygiene and password management.
To help you on your path to better digital security, we’re taking a look at one of the critical issues in password best practices today: whether length or complexity is more important. Before we get stuck into it, though, let’s take a quick look at why good password management matters.
Why good password choices and management matters
Perhaps the best way to drive home the importance of a robust digital hygiene strategy is to review a few statistics and facts:
• As TechRepublic reports, around 70 percent of the most common passwords around the world can be hacked in less than one second.
• According to PC Mag, the world’s most common passwords are “laughingly insecure.”
• Although most cyber attacks are aimed at corporate entities, individuals are still a frequent target.
• Once a threat actor has one of your passwords, they may leverage that single insight to access other accounts you hold, commit identity theft, or steal any available finances.
• Cybercrime is increasing globally. Not only are threat actors capitalizing on the Covid-19 pandemic to up the proverbial ante, but the advent of criminal business architectures – such as Ransomware as a Service – means that even malicious actors with limited technical abilities can commit cybercrimes.
• Your passwords are your first line of self-defense. As such, they are a vital part of a solid digital hygiene strategy.
Does long equal strong, or should I prioritize password complexity first?
In 2022, the prevailing wisdom is that size does matter, meaning you should prioritize length over complexity first. This is because hackers are not relying on their critical reasoning skills to somehow figure out people’s passwords.
Instead, they are using advanced algorithmic software to perform specialized attack types, such as brute force and dictionary attacks. With the assistance of this software, it does not matter whether you have swapped all the As in your password for @s, or turned all the Es into 3s. It takes just as long for the software to crack a “!” symbol as it does a letter.
Because the threat actors’ software is doing all the heavy lifting, your best bet is to make it as difficult as possible for your passwords to be cracked. Statistically, that means a longer password is safer.
The minimum recommended length is 12 characters, and you should combine this length with a few other factors:
• Uniqueness. Make your passwords as random as possible. Avoid consecutive numerals (123) or letters (abc). Do not use any of the most common passwords, and use a different password for each account you hold.
• Complex. Use a random mix of upper and lowercase letters, special characters, punctuation, and numerals.
But how will I remember these long and complex passwords?
The trick to good password and digital hygiene is that you shouldn’t be able to remember all your passwords (unless you’re some kind of savant). Instead, enlist the help of a good password manager to keep all of your passwords in order.
With LastPass or one of the numerous other options available, you simply sign in to the password manager once with a master password or passcode, and the software does the rest. As a bonus, these programs help you generate strong passwords and will automatically sign you into websites and apps.
Note that these third-party password managers are considered more secure than your browser’s in-built option. As Wired and other publications have noted, there are a number of security concerns associated with relying on your browser for password management. Follow the tips above to lock down your digital life and prevent becoming a victim of cybercrime.