Rule of Thumb for Password Length: Add 1 Character Every 3 Years, Just to Keep Up

Here’s a rule of thumb: You need to make your passwords one character longer every three years, just to keep up with the attackers. The eight-character password that might have been good enough six years ago should be ten characters long now, to have the same strength.

Why is this? Computers keep getting faster and attack methods keep getting¬†smarter. If your password doesn’t keep growing, it keeps getting more and more vulnerable to attack.

Why one character every three years?

First, let’s look at the attackers. As a rule of thumb, I’m applying Moore’s Law to computer power, and therefore to attack strength for automated password guessers. Attack strength doubles every couple of years. Doubling every two years, for those who don’t do binary powers, is like adding one “bit” of attack strength every two years. Let’s call it half a bit per year.

Second, let’s look at the defending side – your password’s length. Despite the frequently regurgitated advice of adding punctuation to your passwords, password length matters a lot more than the use of special characters. (Guess what: The Bad Guys have heard about using special characters too.) A rule of thumb from the NIST Computer Security Resource Center¬†estimates that once you get past eight characters, each additional character adds 1.5 bits of entropy (password strength).

Now we compare the two trends: adding 0.5 bits of attack strength per year vs. adding 1.5 bits of defensive strength with every added character. In other words, one extra character of password length makes up for three years of faster computers. And there’s our rule of thumb: Make your passwords one character longer every three years.

Why Stop There?

There’s no need to stop there. As I’ll explain below, this rule of thumb isn’t perfect. Consider it a minimum standard. If you can come up with a much longer password you can remember, go for it. One way to do that: Think of a line from a song you’ll remember, and use the first two characters of each word. “Come on, Baby, let’s do The Twist” becomes “CoonBaledoThTw” – a nice fourteen-character password. Or you can throw in the punctuation if you want to pad it out some more: “Coon,Ba,ledoThTw.”

Got Quibbles?

One could easily argue that Moore’s Law doesn’t still hold, or that it doesn’t apply to password attack capabilities. Yup, that’s why I’m calling it a rule of thumb. The point is that computers keep getting faster, so your password needs to keep getting stronger to have the same survival chances it did a few years ago.

One could easily argue that the NIST rule of thumb for password entropy is invalid. In fact, there was some research a few years ago (“Testing metrics for password creation policies by attacking large sets of revealed passwords“) showing that NIST’s rule of thumb wasn’t accurate. Again, I’m offering my one-character-every-three-years rule of thumb as rough guidance. If you’re not doing at least that much, your password keeps getting weaker with each passing year.

You could also argue that lockout policies (temporarily locking your account after a certain number of bad guesses) make a lot of this go away. You’re right, if the attacker is trying to log in directly. (This is called an in-band attack.) However, if the attacker has acquired the password hashes, the lockout policies don’t apply. The attacker can make many millions of guesses per second.

But Every Other Article Says I Need Special Characters

The xkcd comic strip on password strength explains the problem well. Complexity rules are often harder on you than on an attacker.

Many years ago, somebody computed (correctly) that a larger character set, like the 94 characters found on a US computer keyboard, yields a lot more possible passwords. For example, eight lower-case letters give you almost 209 billion¬†possible passwords (26^8), whereas eight characters from the full keyboard give you about 6 quadrillion possible passwords. That’s about 29,000 times more possibilities, so – the thinking went – that password must be 29,000 times stronger. The problem is that the calculation applies only to randomly generated passwords. Most people don’t pick random passwords. If you tell them they can’t use “password,” chances are they’ll pick something like “Pa$$w0rd1,” and that’s pretty easy for an attacker to get. The Bad Guys have known about those substitution tricks for many years.

Longer Is Stronger

The best way to make your password stronger is to make it longer.

I offer up my rule of thumb to add at least one character every three years as a minimum standard, just to keep up.