TL;DR
After around 20 characters, adding more length to your password gives diminishing returns in terms of security. Focus on using a passphrase (a sentence that’s easy for you to remember but hard for others to guess) and enabling multi-factor authentication instead.
Understanding Password Strength
Password strength isn’t just about the number of characters. It’s also about:
- Character types: Using a mix of uppercase letters, lowercase letters, numbers, and symbols makes it harder to crack.
- Randomness: Avoid predictable patterns or personal information (birthdays, names, etc.).
- Length: The longer the password, the more possible combinations there are, making brute-force attacks much slower.
Why Length Matters
Each character you add to a password exponentially increases its strength. For example:
- An 8-character password using only lowercase letters has around 43 million possible combinations (268).
- A 12-character password with mixed case, numbers and symbols has over 79 trillion possibilities.
However, this increase isn’t linear. The gains from adding characters become smaller as the password gets longer.
The Point of Diminishing Returns
- Around 12-16 Characters: This is a good starting point for strong passwords. Most modern systems will allow this length, and it provides substantial security against common attacks.
- Beyond 20 Characters: While longer is still technically better, the increase in security becomes marginal compared to the effort required to remember and type such a long password. Attackers also use techniques like rainbow tables which are less affected by extreme length.
Think of it this way: going from 8 to 12 characters is a huge improvement. Going from 20 to 25 characters isn’t nearly as impactful.
Passphrases vs. Passwords
Instead of trying to create a super-long, complex password, consider using a passphrase:
- What is a passphrase? A sentence or phrase that’s easy for you to remember but difficult for others to guess.
- Example: “My cat loves chasing red laser pointers!”
- Benefits: Passphrases are longer and more complex than typical passwords, making them harder to crack. They’re also easier to remember.
You can further strengthen a passphrase by:
- Adding numbers or symbols (e.g., “My cat loves chasing red laser pointers!2023”).
- Using capitalization in unexpected places (e.g., “My cAt Loves Chasing Red Laser Pointers!2023”).
Tools to Help
You can use password managers and strength checkers:
- Password Managers: Generate, store, and automatically fill in strong passwords for you. Examples include LastPass, 1Password, and Bitwarden.
- Password Strength Checkers: Estimate the time it would take to crack a password. How Secure Is My Password? is a good example.
Multi-Factor Authentication (MFA)
The most important thing you can do to improve your security isn’t just about the password itself, it’s adding an extra layer of protection:
- What is MFA? Requires a second form of verification in addition to your password (e.g., a code sent to your phone).
- Benefits: Even if someone steals your password, they won’t be able to access your account without the second factor.
Enable MFA wherever possible – on email accounts, social media, banking apps, and any other important services.