1. Home
  2. Config
  3. Password Strength

Password Strength

This article was last updated 5/24/2019. It is provided for your convenience and relies on basic principles unlikely to be circumvented. The security of your systems is your responsibility, so please take the time to inform yourself about current best practices.

One way to create a strong password is to use a string of four or more words; unconnected by syntax, grammar or theme and at least 14 to 16 characters total.

For example pho hornet deft last -> phohornetdeftlast

Do not specifically use phohornetdeftlast as a password! It is an example only.

Password Storage

There are a number of ways to store a secure password: an encrypted password storage app, a pad of paper in a secure location or committing to memory an easy to remember, lowercase string.  Please use appropriate methods to help prevent your data from falling into the wrong hands.

How Often Should I Update My Passwords?

Recommended best practices have been changing on this.

A growing number of security experts argue that monthly or bi-monthly password changes encourage less secure passwords. We would recommend once a year, but please do consult current best practices.

These are reasons you should change a password immediately:

  • If you have the same password on many accounts
  • If you find a virus on a computer you have entered your password on
  • if you use the password on a public computer, like in a library
  • If you receive a notification that an account with this password has been compromised

Common Pitfalls

Conventional password wisdom suggests strings of at least 8 characters using the widest variety of character types (uppercase, lowercase, special, number). These 8 character passwords are not bad, but they are undermined by common practices that allow automated systems’ pattern matching abilities to break the code.

This includes:

  • Adding non-lowercase items consecutively, especially at the end or beginning of words.
  • Using personal information, password related imagery, or pop culture to create a password base.
  • Incrementing a password due to password change requirements.
  • Using the same password in multiple places.  In this case cracking one of your passwords means having all of them.

Let’s Look at the Math:

The more possible combinations of characters, the harder to guess a password is.  This is known as complexity. But the underlying math means that just a few extra characters in an entirely lowercase password adds more complexity than adding numbers and special characters.

You can calculate the complexity of a password by finding length and the character set it uses. Assuming a standard English Keyboard:

  • There are 25 lowercase letters.
  • There are 25 uppercase letters.
  • There are 10 digits.
  • There are up to approximately 26 special characters (depending on what your application permits)

To find the complexity of your password add together all of the character sets in your password.  Then multiply by that number for each character in the password.

So an 8 digit password using all character sets  (86 possible characters) could be 86 * 86 * 86 * 86 * 86 * 86 * 86 * 86 = 2.99 * 10 ^ 15 different strings.  That’s pretty good. But good passwords using all character sets tend to be very hard to remember.

But a 14 digit password using only lowercase letters offers 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 * 25 = 3.73 * 10 ^19 different strings. That’s even better. And for most people it is much easier to remember a good password in this form.

Now you might wonder why it’s recommended to use at least 4 words in addition to 14 characters.  But if a hacker realizes what you are doing, they can try combinations of words as a shortcut instead of characters.

According to Oxford Dictionary there are 171,476 words currently in use in the English language. This isn’t quite representative because some words are used more often than others, but should be close enough. A minimum of 4 words means for a clever hacker there are 171,476 * 171,476 * 171,476 * 171,476 = 8.65 * 10 ^ 20 combinations.  That’s even better than before! Just remember to avoid related words, and this is a relatively secure way of generating passwords.


Updated on September 11, 2019

Was this article helpful?

Related Articles