Why Long Passwords May Be a Good Defence
In today's digital landscape, security is paramount. Protecting personal information, financial accounts, and sensitive data requires a robust defence strategy.
Why Length May Seem to Matter More Than Complexity
The primary reason long passwords are so effective lies in the way password cracking works.
Hackers often employ techniques like brute-force attacks and dictionary attacks to gain unauthorized access.
Brute-force attacks involve systematically trying every possible combination of characters until the correct password is found.
Dictionary attacks, on the other hand, use lists of common words and phrases, along with variations and misspellings.
The longer a password is, the exponentially more difficult it becomes to crack using brute-force methods.
Each additional character added to a password dramatically increases the number of possible combinations, making the process computationally infeasible for even the most powerful computers
A password with 8 characters, using only lowercase letters, has 26^8 possible combinations (208 Billion).
A password with 12 characters, using the same lowercase letters, has 26^12 possible combinations (9 with 16 zeros after it).
That's a difference of trillions of times more possibilities.
However, if uppercase and control characters are also used, then the possible number of combinations raises to (using a selection of 6 control characters and 10 digits) 68^8 for an 8 character password (4.5 with 14 zeros after it) which is very close-ish to the 12 character password, and MUCH easier to remember.
While dictionary attacks can be effective against short, easily guessable passwords, they become significantly less useful against longer passphrases, especially with capitalisation, numbers and control characters.
The Sweet Spot: Balancing Security and Memorability
While long passwords offer the highest level of security, they are also be difficult to remember.
This can lead to users writing them down, or relying on password managers – practices that introduce their own potential vulnerabilities if not implemented carefully.
Therefore, the ideal password length balances strong security with ease of memorization.
A general recommendation is to aim for passwords that are at least 8 characters long, but ideally 12 or more.
The latest NIST guidelines (2025) available in the NIST SP800-63B special publication states the following regarding memorised secrets (passwords):
"Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed"
Interestingly, the following is added regarding 'control characters':
"All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well."
There are also guidelines regarding 'Hints' and 'Subscriber Questions':
"Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets."
It is also recommended that the potential memorised secret be first checked against the following sources, bore the password is accepted:
• "Passwords obtained from previous breach corpuses.
• Dictionary words.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Context-specific words, such as the name of the service, the username, and derivatives thereof."
Another interesting factor addressed by the NIST 800-63B special publication addresses how often a password should be mandatorily updated:
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
Let us all get together and stop the obligatory 'change your password after 90 days'
This is not helpful and creates far more risk than having multicharacter passwords of shorter length.
Strategies for Creating Long, Memorable Passwords
Here are some effective strategies to create long passwords that are both secure and relatively easy to remember:
• Use Passphrases: Instead of a random string of characters, create a passphrase consisting of a sentence or phrase. For example, "I love to watch the sunset over the ocean." You can then modify the passphrase slightly to add further complexity, such as replacing words with numbers or symbols ("I l0ve 2 watch the sunset ov3r th3 0cean!").
• Employ Acronyms: Take a memorable phrase or sentence and use the first letter of each word to create a password. For instance, "My favourite colour is royal blue" becomes "Mfcirb". We obviously recommend you add numbers and control characters for added security.
• Leverage Nonsense Phrases: Create a memorable phrase that doesn't necessarily make sense but is easy to recall. The more unique, the better.
• Use Password Managers Wisely: Password managers can be excellent tools for generating and storing long, complex passwords. However, it's crucial to use a reputable password manager and to protect the master password with extreme care, as it becomes the single point of failure.
Beyond Length: Addressing Other Security Considerations
While length is an important factor, it is worthwhile addressing other security considerations as well:
• Avoid Personal Information: Steer clear of using personal information such as your name, birthday, address, or pet's name in your passwords. This information is easily accessible and makes your password vulnerable to guessing / social engineering attacks.
• Use Unique Passwords for Each Account: Avoid reusing the same password across multiple accounts. If one account is compromised, all accounts using the same password become potentially vulnerable.
Finally, and most importantly, a short, easily memorised 8 character (upper and lowercase with controls characters) will be shielded from most risk by:
• Enabling Two-Factor Authentication (2FA):
Whenever possible, enable 2FA. This adds an extra, decisive layer of security by requiring a second form of authentication, such as a code sent to your phone, in addition to your password.
There are several other forms of authenticators.
These include:
• Out-of-Band devices
• Single Factor One Time Password (OTP) Device
• Multi-factor OTP Devices
• Single Factor Crypto Devices
• Multi-factor Crypto Software
• Multi-Factor Crypto Devices
Therefore, if you are concerned about the security of your password / authentication process, or would like to speak to someone regarding the different forms of MFA, please do not hesitate to contact us at info@cyberforensics.co.nz
References
National Institute of Standards and Technology (2025) Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management (Department of Commerce, Washington, D.C.), https://doi.org/10.6028/NIST.SP.800-63b.