This is an argument I am so very tired of having so I decided to prove it. In about 1998, I recall reading a paper co-written with United States Department of Defense and Microsoft, which explained why adding a single character length to a password was far superior to adding complexity requirements. Unfortunately, I cannot find that white-paper, but I can recreated the logic and the mathematic proof:
Complexity VS Length
Password Complexity Requirements Positives:
- These often include using a mix of uppercase letters, lowercase letters, numbers, and special characters
Password Complexity Requirements Negatives:
- Most people use very common number substitutions for letters and often end with !, which hacking algorithms and even brute force guesses work on first
- i.e. Password becomes Pa$$word, or TooSimple = T00$1mple
- Complexity requirements often force users to:
- write down passwords on easily hackable things like stickit notes
- and / or reuse the same complex passwords on multiple systems, so if Facebook accounts get hacked, an attacker can use the same password with someones X, Twitter or corporate accounts
Password Length Negatives:
- Longer is harder to remember and are more likely to be written down or reused but far less so than complex passwords
Password Length Positives:
- Adding just one more character to a password exponentially increases the number of possible combinations
The Math: Why Length Trumps Complexity
Lets assume a traditional password composed of just 10 character uppercase and lowercase letters (no numbers and no special characters)
- Possible characters: 26 (lowercase) + 26 (uppercase) = 52
- Total combinations: 52^10
11-Character Password (Uppercase and Lowercase Letters)
- Possible characters: 52
- Total combinations: 52^11
Complex 10-Character Password (Uppercase, Lowercase, Numbers, Special Characters)
- Possible characters: 26 (lowercase) + 26 (uppercase) + 10 (numbers) + 10 (special characters) = 72
- Total combinations: 72^10
Comparison
A 10 complex password has 25.9 times as many combinations as password with only uppercase lowercase letters. Compare that to an 11-character password with only uppercase and lowercase letters, which has 52 times as many combinations as a 10-character password with uppercase and lowercase letters
So we can mathematically prove that adding just one more character to the length of a password significantly increases the number of possible combinations, than adding complexity requirements does.
Reasons To Use a Longer Password:
- Ease of Use: Longer passwords can be easier to remember if they are made up of simple words or phrases, compared to complex passwords that are harder to recall
- Standard Substitutions: Hackers know the standard letter substitutions when there are complexity requirements, like:
- i gets replaced with the number 1
- s gets replaced with the dollar sign $
- o gets replace with the number zero
- Brute Force Resistance: Its simple math; longer passwords take significantly more time to crack using brute force methods, even if they are less complex
In summary, while complexity adds a large improvement in security, increasing the length of a password by just one character is more than twice and effective.