2013-08-18 stronger passwords

Long simple passwords are more secure and easier to remember than short complex passwords. Would you rather remember 1@4THxc( or "good icecream stinky shoes"?

Consider passwords of length m choosen from a set of characters with x elements. x might be 36 for letters and digits, 62 including uppercase, 256 if you can really encode all of those.

Consider 8 character passwords, vs 16 character passwords.

• 256^8 vs 36^16
• 1.8e19 vs 7.9e24

There are almost a million *times* as many 16 character passwords from the smaller character set as there are 8 character passwords from the larger character set. Length wins, so just use *long* passwords.

An 8 character password choosen randomly from a set of 64 characters has 2^48 combinations. If you choose random words from a small dictionary of 4096 words, you only need 4 words to get 48 bits of randomness, and it is easier to remember.

Of course, we could wander off here into a discussion of the relative strengths of hash algorithms, the need for salt, etc. But that entire discussion really applies to folks that build the password system. For a user that is forced (or chooses) to use some particular password system (gmail, facebook, Windows, Linux, etc), pick length over complexity.