How long should my passwords be?
by Jeffrey Goldberg
When every website you create a login for suggests a different length password, it can be tough to determine how long your password should actually be. You know that a longer password is more secure, but longer than what? 6 characters? 12 characters? 24 characters?
To answer this, we first need to look at what kind of password you need to create. Is it one of the very few you will need to memorize, like your 1Password Master Password, or is it one that you generate using our strong password generator, which you may never have to type, see, nor remember? We aren’t talking about human-created passwords here as passwords created by humans are easily guessable by machines.
So from now on, we are assuming that you are using a secure password generator, as you should be.
The short answer to the length question is that when using 1Password’s password generator you should just use the default settings: 20 characters for character-based passwords and four words for the wordlist-based ones.
Most of the requirements that web sites and other services impose on people creating passwords don’t really apply when we are considering security-generated passwords. Those rules were designed to get humans to make up good passwords. It also turns out that those rules don’t even work at their intended purpose. Indeed, NIST is now explicitly advising against imposing any requirements other than a minimum length. Nonetheless, people may still be faced with those sorts of requirements for a long time.
Every website is different, but they typically set minimum lengths of 8 or perhaps 10 characters. (The last research I’ve seen on this is far out of date, so I’m largely just guessing about this.)
It makes sense that when you’re tasked with creating a new password, you’ll come up with something as short as possible, as quickly as possible. We get it. You want to sign up, log in, and move on with your day. But by only hitting the minimum requirement, you leave yourself more vulnerable to having your password cracked.
Our default length for generated character passwords is 20, but as you will see below that is overkill for generated passwords. We would go with 15, but those don’t feel strong enough to people, and we would get complaints. Many people do not see how strong properly generated passwords are.
There’s a pervasive belief that requiring digits and special characters in a password make the password stronger. But the effects of these requirements differ for human-created passwords and for properly generated passwords. A human-created 11-character password with mixed-case letters, digits, and symbols might look like
Letmein!123. An 11-character password generated by 1Password and using mixed-case letters only might look like
lwlXgHeaWiq. The generated one, even without digits or special characters, is going to be enormously harder to guess than the human-created one.
Now our password generator will create passwords with digits and symbols because those are required by so many sites. And for things that are properly generated, allowing more kinds of characters does improve strength (a little bit).
Before I start using the word “entropy” when talking about password strength, I should issue a word of warning. Almost everything you read that uses the word “entropy” when talking about password strength is wrong. Entropy only makes sense as a way of talking about password strength if the scheme used for creating a password is just as likely to produce each possible output as any other. A scheme that generates 11-character passwords from letters, digits, and symbols that is more likely to come up with a password like
lwlXgHeaWiq is not one for which the word “entropy” makes sense. It turns out that even some popular password generators do not create passwords uniformly, but for this discussion I am focusing on 1Password’s secure password generator which does this correctly.
So we can talk about the entropy of passwords generated by 1Password’s strong password generator, but there is no use in that if you don’t know what I mean. A password with 20 bits of entropy is twice as hard to crack as one with 19 bits. The 20-bit password is half as hard to crack as password with 21 bits. A password with 20 bits of entropy is drawn uniformly and randomly from 2²⁰ possible distinct passwords. That is just over 1 million. Because password-guessing systems can make hundreds of thousands of guesses per second (if the passwords are well hashed) or tens of millions of guesses per second (if the passwords are not well hashed), a 20-bit password is not strong enough for many purposes. An 11-character password drawn only from mixed case letters has around 65 bits of entropy which is more than sufficient for almost any purpose.
Now that we can talk about bits of entropy for passwords created by 1Password, we can return to the question of how much length contributes to strength and compare that to how much character classes contribute to strength.
Let’s contrast two pairs of password generation settings. 11 or 12 characters, and requiring digits versus letters only.
|11 characters||12 characters||16 characters||20 characters|
The lesson from that table is that while adding in digits increases the strength, you get a greater strength increase through even a small increase in length. A larger increase in length creates an enormous difference. Recall that each bit corresponds to doubling the number of possible passwords (and so doubling the amount of work an attacker needs to do). This makes the 16 character letters-only password (91 bits) 8 million times harder to guess than the 12-character (68 bits) one, while the 12-character password with digits (71 bits) is only eight times harder to crack than the letters-only one.
Just to give you an idea of what some of those bits translate to if a 70-bit password is well hashed: it is probably outside the range of what a major government could crack, while if it is poorly hashed, it is probably within the power of a major government willing to dedicate enormous time and resources to the problem. (For those who are going to remind me that it is widely believed that the NSA can brute force cryptographic keys in the 80- to 90-bit range, I will point out that guessing keys doesn’t involve any of the memory operations that guessing passwords do.) A 90-bit password is well outside the range of what even the most determined and well-resourced attacker could do. They simply would not try to guess it.
To get a sense of what it would take to crack a 128-bit cryptographic key (which are easier to make guesses at than passwords), take a look at something I wrote about dogs searching for toys and the age of the universe a few years ago.
As 1Password will remember the password for you, keep it safe, fill it in to the right web page, and allow you to securely share it with those who you may need to share a password with; you don’t have to worry that it is 20 characters of untypable gibberish that can’t be humanly remembered or used. But if you come across some service that only allows 16 character passwords, you don’t need to worry about the strength of those either. A 16-character properly generated password is going to be more than strong enough.
It’s all well and fine to generate passwords that you will never have to type or remember, but your 1Password Master Password is different. The kind of advice we offer in “Toward Better Master Passwords” still stands, with only the update that 1Password’s password generator will create these kinds of passwords for you.
For your 1Password Master Password, using a four-word password (56 bits) from our password generator is going to be enough for anyone because we hash it well and because your Secret Key means that password-cracking isn’t a viable attack on the data that we hold. The strength of your Master Password and our hashing is, however, your defense against cracking attempts against data stolen from your system. A three-word (42 bits) Master Password will buy you time if your data is stolen. Whether that time is months or years depends on what kinds of resources the attacker is able to throw at it. A four-word (56 bits) Master Password would cost the attacker tens of millions of dollars to crack, and a five-word one (71 bits) is going to be outside the range of major governments given how these are hashed. And even if a major government could realistically crack a four-word password, they would almost certainly try a less expensive line of attack.
One of the benefits of using properly generated passwords is that we can know exactly how strong they are. They maintain their strength even when the attacker knows precisely how they were generated. This is the opposite of many of the clever schemes that people come up with for creating passwords. Much of the purported security of many of those schemes evaporate as soon as the attacker can guess that it is a scheme that you may have used.
That all leads to an interesting paradox. Most password creation advice becomes bad advice as more people use it. The more popular a scheme becomes, the more attackers will tune their systems adjust. Remember that criminals know more about password creation behavior than anyone else, as they’ve seen and studied the most real data. A proper password generator, on the other hand, remains just as strong even if everyone uses it and the attacker knows every detail of the scheme. With apologies to Immanuel Kant: Good password creation advice should remain good even if everyone follows it.