What password length is considered the most optimal and secure as of right now?

[Actual_Criminal]

What i'm trying to figure out is, what is the shortest password I can have using non-random (so words/phrases) alphanumeric characters (plus one symbol) that is virtually impossible to crack and decipher?

 

For example, let's say the worlds most powerful computer could take 4 years MAXIMUM to decipher a seven character password, but eight characters would take 102 years, therefore 8 plus would be sufficient for the current day.

 

I understand a randomly generated pattern of characters is the MOST safe option, but I have over 8 emails and many accounts etc and don't trust the password generators/managers just in case my computer dies. I also know 2FA is a thing and I use it, but my question still stands.

 

EDIT: Amended post to clarify security relevance for the present. Yes I know things will change as computers get more powerful.

[Skiiwee29]

none.. if you have a mindset that its not possible to hack/crack.. then you're heads in the wrong space.. EVERYTHING is crackable and hackable.. 

[Eigenvektor]

4 minutes ago, Actual_Criminal said:

What i'm trying to figure out is, what is the shortest password I can have using non-random (so words/phrases) alphanumeric characters (plus one symbol) that is virtually impossible to crack and decipher?

The longer the better, which is exactly why a password manager is recommended. To solve the issue of "dead computer" you need a backup of your password database (ideally multiple backups)

 

Here's a good video on the subject:

 

Meaning: No matter how long your non-random, i-can-remember-it password is, the amount of time it take to crack it is only a matter of computational power, which is only going to increase in the future.

[Arika]

Minimum of 12 characters is the "recommended" for what you're after. However the less "random" it is, the easier it is to crack. Combinations of english words are notoriously easy to crack. you need to make it seem random without being something obvious

 

for example a password that would be fairly secure, but easy to remember could be something like

L1nu5--T3ch//T1p5

 

Most brute force attacks would easily substitue common letters for numbers like E > 3. I > 1 etc. but adding other random characters can throw it off

 

But even if you have the most secure password ever, NEVER use it on more than 1 website

[Actual_Criminal]

Just now, Arika S said:

Minimum of 12 characters is the "recommended" for what you're after. However the less "random" it is, the easier it is to crack.

 

for example a password that would be fairly secure, but easy to remember could be something like

L1nu5--T3ch//T1p5

 

But even if you have the most secure password ever, NEVER use it on more than 1 website

Thank you, this is what I was looking for.

[mariushm]

The length is not relevant, the COMPLEXITY is.

 

You have no idea how the websites store the passwords ... usually they create a hash out of the entered password, which is just 20-32 bytes.

So someone could find a 100 character password that would produce the same 20-32 byte hash as your 10-20 character password, it's just quite difficult, takes a lot of time.

 

Websites that force you to enter at least n characters, maximum n characters,  at least one uppercase, at least one digit ... are basically stupid, because they're just limiting the number of unique possible passwords one could use, and furthermore they're pushing people into giving up exactly when the password matches the requirements (so for example, if a website says at least 8 characters, then the user will enter a 8 character password... or at most 8-12 characters

A hacker can now calculate all possible hashes because he knows the password is at least 8 at most 10... and then the maximum number of combinations is further reduced by the need to have at least one letter uppercase, at least a digit ... otherwise hacker would have to calculate hashes for anything between let's say 4 letters and 20 letters.

 

reminds me of xkcd comic, i remembered battery horse staple from months ago when I probably heard it mentioned again :

 

[WereCatf]

Just now, mariushm said:

The length is not relevant, the COMPLEXITY is

Uh, you posted a picture from XKCD that shows the exact opposite. The longer the password, the more entropy there is and the exponentially more variations there are to test. A complex 4-character password is cracked in less than 500ms, so yes, length very definitely is humongously relevant.

[mariushm]

Yeah, I meant something and I said something else. 

I meant complexity as in not having so many restrictions into how a password should be made  (must have lowercase, mush have uppercase, numbers, symbols)

If the website forces you to reduce complexity (or entropy, maybe it's better word), you end up with much fewer possible unique combinations of letters and numbers and symbols so the password is easier to crack.

 

[SAVE-12-HK]

the more complicated the pw is the more your will forget

 

[Guest]

More important than a strong pw these days is to use mfa everywhere it is possible.

Even if someone has your pw they'll need access to your phone or other mfa device in real time to be authenticated

[WkdPaul]

2 hours ago, WereCatf said:

Uh, you posted a picture from XKCD that shows the exact opposite. The longer the password, the more entropy there is and the exponentially more variations there are to test. A complex 4-character password is cracked in less than 500ms, so yes, length very definitely is humongously relevant.

The XKCD isn't great for that IMO, but the message he's trying to convey is correct ; as a password, you're better with a long sentence that is easy to remember than a short (often people go with the minimum) random sting of character.

 

As a sys admin I see this often where people take a simple word with a few numbers slapped at the end, then they do +1 when they need to change the password. That right there is a big issue. People can't remember passwords because they've been trained to have complex passwords, so they put in something simple (to them) with +1 at the end ... I've personally switched to contextual sentences and it's much easier to remember. If you know more than one language, adding words in different language also help for complexity, as long as it doesn't make it harder to remember.

 

I tell that to users when I see they simply go with simple words or when they complain about having too many passwords ; make a sentence that's related to the service you're using, something related to you (if possible) that won't be hard to remember but is complex enough that others won't be able to guess (like the name of your first born with it's birth year ... sigh), as an exemple I tell them they can use something like " Just w1ndow shopping! " for their ebay or amazon password. It's contextual with the account (that password wouldn't make sense for your email or work account), it's simple to remember but has enough complexity to be hard to break easily (but please don't use that, it's an exemple of a simple sentence, but it's too simple IMO).

 

For my main email account, I have a sentence (in multiple language) + a gibberish string of characters at the end (not going to say how long the whole pw is, but it's pretty long) ... yeah it's a pain to enter, but it's contextual, is easy to remember (for me) and it's to make sure the account is secure and won't be easy to break into because somehow, someone in Brazil decided that email is theirs, they register my email for all their stuff, like gov communication (like tax stuff), car dealership, cellphone and ISP bills, Netflix ... if I wanted to steal someone's identity (or his Netflix account), it would be real easy with that idiot! And he's trying to recover the account at least 2-3 times a year !!

 

And of course, MFA anywhere that's available, but MFA should not be an excuse to use a simple password !

[AngryBeaver]

Password vaults are the only way forward. Just make sure you have a good vault password lol.

[piratemonkey]

I can't speak to actual numbers or anything like that cuz it's not my speciality, but as others have said the best kind of password is a passphrase (3+ "random" words together). For me, I have a pool of words I came up with a while ago and whenever I need a new password I choose words and make any changes needed (illogical placement of symbols, numbers and different letter cases). They're stored in an undisclosed location, in front of at least 2 passwords. The thing with trying to calculate how long it'd take is that you'll be wrong. Usually the number of years is how long it'd take to brute force the string, but dictionaries of already cracked passwords are available. That along with rules with brute forcing that change the way things are hashed (changing an e to a 3 for example) make the actual time much lower. It might take a year or even a couple, but eventually all passwords in a leak will be cracked. As such you should change your password regularly. 

[Heliian]

Changing your passwords every 3 days should do it. 

 

I set passwords based on the level of security I think I need for each use. 

 

Some random site that doesn't hold payment info will be basic.  Paysites that hold info are higher.  I never use the "save my credentials" option.  Major banking info now has 2fa with biometrics.

 

Pretty much any place that has a "forgot password" button is really only as strong as your email or phone or whatever reset method is used.

 

 

 

 

[WhitetailAni]

I have a method that's really stupid but really fun.

I don't have a password vault - instead my password is my first and last name first letter (which happen to be the same), and then my school ID number except I switch around some of the numbers.

I then just have a sheet that tells me what to add to which number. Example:
For this, my ID number is 300011111 and the letters are GG.

For my LTT password, I would put +2 156 -1 348, meaning add 2 to numbers 1, 5, and 6 and subtract 1 from numbers 3, 4, and 8.

If I hit a zero and I have to subtract, 0 - 1 = 9, etc.

Thus, my password would be GG509933101.

 

 

[WkdPaul]

32 minutes ago, SGT-AMD said:

That should explain it well.

I don't get it, what is this supposed to explain?

[Kisai]

2 hours ago, SGT-AMD said:

Link didn't show up in the post. I guess that I'm still in the new area.

 

The problem I see is the question. "What password length is considered the most optimal and secure"

 

those are two questions with different answers.

 

The optimal password length is the one that maximizes the entropy of the password database encryption field. So if it's SHA1, it's 160 bits (20 characters), MD5, it's 128 bits (16 characters), if it's sha256, it's 256 bits, or 32 characters. Anything more than the database field, and it's truncated. 

 

So it depends on the backend. If the backend is SHA1, than 32 characters is the most that matters, because the hash will still be stored as 32 characters. Or rather 64 characters, as they're stored as printable ASCII characters in the database if they're in a text field and not a binary blob.

 

For example:

https://emn178.github.io/online-tools/sha256.html

 

The password of "password"

Quote

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

 

and the password of "1111"

Quote

0ffe1abd1a08215353c233d6e009613e95eec4253832a761af28ff37ac5a150c

 

and the password of correcthorsebatterystaple

Quote

cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46

Note these are all the same length. To figure out what these passwords are, you'd use something like rainbow tables if they are unsalted. If you know what the salt is (eg you downloaded the password encoder) you could also generate rainbow tables for that salt and look for easy passwords. 

 

A short password with symbols and numbers in it, only increase the character entrophy, eg instead of trying 26 letters, it has to try 36 if you add numbers, 56 if it has to try uppercase and lower case and numbers, and 88 if you use all english-keyboard typeable characters. This only makes it harder for brute-forcing. You know how to brute force something? If you've acquired the password hashtable database of a server, you have the salt, and the username, so all you have to do is find an account you want access to, and brute-force it offline, where you are not limited by internet/connection capacity.

 

Once you find a hash collision (not necessarily the password) you have a working password. Hence longer hashes (eg 160, 256, 512 bits) make this more difficult to find a collision. 

 

So to answer the second half of the question, "what is most secure", depends entirely on how it's stored. If the platform stores it in-the-clear, or in a symmetric cipher, and is later hacked, then you could have a 500 character password and it's no more secure than a 8 character password. If it's stored as a MD5, than any password longer than 16 characters will have a collision that is 16 characters long, without needing to find that longer password.

 

Unix Crypt, is known for being relatively weak, and if your system has been upgraded without the password database being re-created (eg forcing users to reset their password) then they may very well have original-flavor DES crypt as their password rather than any newer crypt algorithm. So a loss of that password database may be easily reversed on a much newer computer system.

 

Ultimately, a longer, easier to remember password is harder to brute-force if the attacker has no information about it, as they may be forced to try all typeable characters. If you resort to only lower-case characters, then you want a password three times longer than one that uses lower case, upper case and symbols. Each additional character adds an exponential amount of time to brute-forcing it. So 26 if just lowercase/upper case, and 88 if all typeable characters.

 

[Slayerking92]

https://howsecureismypassword.net/


Is 0 Yoctoseconds good or bad?

 

[NineEyeRon]

Something something bit depth random waffle something something

[Radium_Angel]

On 2/3/2021 at 3:09 PM, Slayerking92 said:

https://howsecureismypassword.net/


Is 0 Yoctoseconds good or bad?

 

Dunno, but my current password of ******************* will take 32 Septillion years to crack.

[Heliian]

23 minutes ago, Radium_Angel said:

Dunno, but my current password of ******************* will take 32 Septillion years to crack.

Most of these checkers are phishing, please don't use your real passwords. 

[Radium_Angel]

1 minute ago, Heliian said:

Most of these checkers are phishing, please don't use your real passwords. 

awww man, I just used my real password of **********************

 

Shit, now I gotta change it...

[WhitetailAni]

3 minutes ago, Heliian said:

Most of these checkers are phishing, please don't use your real passwords. 

I put passwords similar to mine.

Basically the same thing.

[2K6Ejmt6IV72L8fwHZ5sPhtP6L]

 I tried to use 256 character passwords with capital, lowercase, numbers, and symbols. Unfortunately, most sites don't like that, so I had to drop it down to a disgusting 32 characters with capital, lowercase, and numbers only.

[Joe56463]

The longer the better! There's no "most secure" option, just try to use some symbols and numbers