What determines the strenght of a password

There are some misunderstood assumptions on what determines the strength of a password.

During the course of the past decade there have been several studies on what constitute as a strong password.

Some people believe it’s the password complexity that determines the strength of the password, saying that adding special characters alone does strengthen a password.

Others believe that it’s the lenght of the password determines it’s strength.

Their argument is that the longer a password is, the more possible characters the hacker/program has to go through , so the longer it takes to crack a password. Another argument is that if you have a 6 character password that does have some kind of password complexity, it’s still a relative smaller amount of possible characters to go through to crack a password, therefor a longer password (16 character ) even if there is no password complexity involved is better option.

There are some websites that provides an indication on the password strength, but as always not all websites are trustworthy.

We are adding 2 websites which 5 Star Technology use.
The first website is part of the Microsoft Safety & Security site.

Microsoft’s website will tell you if the password is strong according to their algorithms.

The other is website Gibson Research Corporation. This website will analyze how long it will take to crack a password.

After you have created a strong password on the Microsoft site, you can verify on GRC how long it would take for a hacker to break the password.

Beside the technical point of view , we have to consider also how users react when being confronted by entering a complicated password that they can not remember easily.

Some studies has also showed that users are more frustrated by the password complexity requirements then the password lenght. Which means they prefer a longer password then trying to figure out on how to enter 3-4-5 special characters to make the password harder to crack.

In addition to all of this, not all websites are created equal. Some websites can accept a maximum of 8 characters while other websites (Microsoft) accepts 16 characters and other websites (Google) accepts up to 100 characters.

Nowadays with the current technology available there is not a real reason to limit the password field to a small number, so eventually on the long run we can hope that all websites would eventually a password field with 16 or more characters.

5 Star Technology recommends a password consisting of 11 or more characters,  consisting of least 5 characters of  the uppercase, lowercase, numbers and special characters combination.

See also the article: How to create an excellent password strategy.

On a something related note,  there is also the development of authentication method called 2 factor authentication, which is an authentication by something you know and something you have. By having a second authentication based on something you have, although a hacker may crack your password, since the hacker “hopefully” wont have access to the second part of the authentication (the something you have), the hacker will not be able to access your account.