Long Passphrases Rock!

There's been a lot of conversation about this topic recently on my project team, and I'm starting to agree that long non-complex passwords seem to be a better way to go than shorter "complex" passwords.  Check out this article in Infoworld for an interesting article from Roger Grimes of Foundstone: http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html.

As far as life with a long passphrase goes, I was forced to change my password at work the other day and decided to put the long passphrase to the test.  I chose a passphrase that was 17 characters long and typed it into the password change dialog twice.  The system complained because it was not complex!  Argh!  Anyway, I complexified it a bit (enough to get past the complexity checker) and have been using an 18 character passphrase for the past week.  Within a day I had the muscle memory down and was typing it without error 90+% of the time.  This was as about as good as I've done with my prior password that was considerably shorter.

I think the notion that passwords can't be longer than 8 characters without users revolting or sending helpdesk costs through the rough is received wisdom that everyone "knows" is true, but no one has ever tested.  Maybe its time to start reconsidering...


Comments (5)

  1. Blake Handler says:

    Your company has a nice web tool for checking the "strength" of passwords.


  2. BillCan says:

    This tool is interesting, but it assumes that complex passwords are best (i.e., upper and lower case, special characters, etc.).  Is anyone aware of scientific research that someone has done around this?  I think this would make an excellent doctoral thesis: Complex Passwords and Long Passphrases: Theory and Practice.  Any grad students out there?!

  3. Andy says:

    Yes longer passwords can be harder to use, but the issue of usability comes into play. If you need to enter your password when you log in, when the screen locks up because you have been idle for two minutes or any other curious event that requires a password, entering in a long password gets pretty tiresome pretty quickly – especially if you’ve made it a complex one that is not easy to type.  Associate that with a passphrase and a long password actually gives someone watching you type, a longer period to work out what your phrase is likely to be (if you are a user who is using a passphrase instead of letters of a passphrase)

    Having a standard password that gets slightly modified as per the article also doesn’t work when a web page insists you need between 6 and 12 characters – what happens if you password is 18 characters long?

    I really don’t think there is such a thing as a magic formula to say what is complex and what isn’t complex.  

    Some people suggest using something like keeppass (iirc) that generates passwords but this is not much use if you use a different computer from time to time.

  4. Our Password Management paper section on Password Policy in the Identity and Access Management Series covers this topic fairly well…

  5. Corks says:

    Right randomly generated passwords  are more secure and gives the authority who issued these passwords control for all.if passwords are 18 characters long,it would take the hacker  approximately to hack it

Skip to main content