Olivier Reuland
White Hat Consulting
Pragmatic Information Security and Privacy Expert

Does password complexity matter?

Does password complexity really matter? And if not, what does?

MFA
security

Reading time: 3 minutes - 814 words

Does password complexity matter? Tables circulating on different websites show how many quintillion years it takes to brute force a password based on its complexity. Complexity matters, and “1234” and “password1” are not good passwords. However, I would argue that this is not the most essential factor. Let me explain why.

Time it takes a hacker to brute force your password in 2024: Hive Systems - www.hivesystems.com/password

There are two main scenarios we need to consider:

  • Offline - A file you want to encrypt offline, such as a backup, a sensitive document on a USB key or your offline crypto-wallet.
  • Online - Typically, it is a service such as Gmail, Spotify, or your bank.

Offline

First, let’s consider a sensitive file you want to protect. If this file ends in the wrong place, an attacker can unleash their high-powered CPU/GPU/ASICs to try to crack passwords with extremely low latency. In this case, the table above is relevant. You should protect your offline data with unique, complex passwords or passphrases. Ideally, you should generate password or passphrase randomly. I like passphrases or random words because they are easier to type (”catch black city balloon beat”). A password manager can help you securely store these passwords.

  • ✅ Choose a unique and complex password or passphrase when protecting offline documents.

Online

The numbers above assume you have unrestricted access. However, this is not the case for online services. First, there is a latency to access online services, and this changes things: An eight-letter random password, with 250 milliseconds latency per attempt, would take over 800 years to crack on average instead of 22 hours, as shown in the table above. Additionally, online services usually have additional protection against brute force attacks:

  • Attempts limits: e.g., only allow five wrong attempts before locking access from this connection
  • Rate limits: e.g., artificially slow down subsequent attempts to 3 seconds per attempt
  • Multi-factor authentication (MFA): e.g., request a one-time 6-digit code
  • Other protections: e.g., block anomalous or known malicious IPs

If implemented correctly, these factors protect your account online against brute-force attacks. So, should you go back to your trusted “password1”? Not so fast!

Password reuse

The first risk concerns password reuse. If dodgy-weak-service.com is breached, attackers will use your password and try it against other services you might use. This is called “password spraying.” So, if you have reused the password for your bank access, this could have severe consequences. Whilst you can do much about dodgy-weak-service being hacked, you can limit the risk by choosing unique passwords for each service. To protect yourself against the compromised password database of the dodgy-weak-service1, you could (and always should) enable multi-factor authentication (MFA).

Guessable, weak or well-known password

This is a cousin problem to the one above. if you are using weak or well-known passwords (see the top 1000 of the RockYou2024 collection), then an attacker can use the limited number of attempts they have to log into your account. This also applies to guessable passwords, such as your pet name or “gmail1” for your Gmail account. But an attacker doesn’t have that many attempts: they have other accounts they want to crack, other services, and different defence mechanisms working against them. Unlike passwords for offline files, a good password is sufficient, provided it’s unique and not easily guessable.

Phishing

The last big problem in the password family is phishing. This is when an attacker tries to trick you into providing your password via a fake site, email, social media, or any other channel. Having a password that would take an attacker nineteen quintillion years to crack won’t help if you give it away. Luckily you have ways to protect yourself here. First, prudence. But it’s easier said than done, as attackers are getting better at tricking people. The second is to enable multi-factor authentication (MFA). This will make it more difficult for attackers, but not completely. For this, you need to use phishing-resistant MFA 2, the most practical (and free) being passkeys.

Recommendations

Online services

  • ✅ Choose a unique and good password or passphrase.
  • Enable multi-factor authentication (MFA).
  • ✅ Use a password manager to help you generate and securely store random passwords.

For the more advanced users:

  • ✅ Use passkeys instead of passwords (always ensure you have two different ones, just in case you lose one).

Offline storage

  • ✅ Choose a unique and strong passphrase or random password.
  • ✅ Use a password manager to help you generate and store them securely.

Footnotes

  1. If the data has been compromised, it’s a different story. This is why you should always be mindful of what data you upload/share and where*.

  2. phishing-resistant MFA such as FIDO/WebAuthn authentication or Public key infrastructure (PKI)-based (the latter is mostly used in enterprise settings and typically to authenticate devices as opposed to people). Solutions using this technology, such as Passkeys, can even replace your passwords altogether.

Related