Meanwhile, a password that's 18 characters in length – and which uses a mix of numbers, lowercase and uppercase letters, and symbols – could take up to 438 trillion years for the average hacker to crack, according to Hive Systems.
If you want good security for a while, an 18-character password would take 79 billion years to hack right now. The bottom line here is if you still use a six-letter password and you use it for multiple sites, you really don't have any security at all. So, use this as a push to strengthen it.
Passwords vs Passphrases
According to Hive, a 7-character password that uses the wides range of characters can be cracked in just four seconds – but an 18-character password of exclusively lowercase letters takes 481,000 years to crack.
It evaluates each password based on key factors such as: Number of characters: The password should have at least eight to 10 passwords, but 16 to 20 characters is ideal. Combinations: The password should include a combination of letters, numbers, and symbols rather than a phrase.
In fact, the National Institute of Standards and Technology (NIST) states, Password length has been found to be a primary factor in characterizing password strength. To strengthen the security of your online information, ensure your passwords are a random mix of at least 14 to 16 characters.
16+ character passwords can actually be easier to remember. Instead of using a single word with lots of character types (uppercase, lowercase, special characters, and numerals), you can use more words with fewer character types. Think of your password as a passphrase.
So as you can see, from just a rudimentary brute force perspective, the longer a password is in length, the harder it is to crack. 14 characters would take many years to brute force, even with today's processing power, so it takes away some of the cracking options from an adversary's toolbox.
This is why we universally recommend all privileged accounts use a minimum password length of 25 characters or greater, and regular users use passwords that are 16 characters or greater.
There are 62 possibilities for each character, and 16 characters. This translates to 62^16 (47672401706823533450263330816) trials worse case, or half of that on average. If the attacker can do a billion trials per second, that means 47672401706823533450 seconds, which is about 1511681941489 years.
Are hackers really guessing 18- and 19-character passwords? The quick answer is YES! But as with all things, it is a little more complicated than that. First, the threat that requires super long passwords is password hash cracking, where an attacker has been able to obtain password hashes.
Long and complex passwords are the hardest to crack.
Higgins' best advice for ideal password length is 12 or more characters, including a mix of lowercase and uppercase letters, numbers and special symbols (an exclamation point or # symbol, for example).
A 14 character length password (NIST recommended) gives you 4.8 x 10^27 combinations. Even at 100,000,000 per second, that would take you more than a million years to guess if you had to try every possible combination.
On average it only takes a hacker two seconds to crack an 11 – character password that only uses numbers. But if you throw in some upper and lower-case letters in there that number changes, taking the hacker 1 minute to hack into a seven-character password.
The best, most powerful and strongest passwords are long, hard-to-guess, and unique. That means using a minimum of 15 characters, using words or phrases that are hard to guess and difficult to connect to you, and never reusing passwords across multiple accounts.
Password uses repeated or sequential characters
The string “123456789”, for example, is the second most popular password and, despite containing nine digits, it would be cracked in a few seconds. The same applies to combinations like “AAAAAA” or “abcdefgh”, as well as obvious words like “password” or “password123”.
On average, it takes a hacker about two seconds to crack an 11-character password that uses only numbers. Throw in some upper- and lower-case letters, and it will take a hacker one minute to hack into a seven-character password.
Avoid "ababab", "aaaaa", etc. Different Character Types: Use all allowed types of characters such as upper and lower case letters, numbers, punctuation, and special characters. If you do not, your password should be longer. Avoid passwords consisting only of letters or numbers.
Experts recommend using longer passwords when possible. The longer a password is, the more possible permutations it has, making it harder and harder for cybercriminals to crack.
An 8-character password may be fine for a few days of protection, but a 12-character password is generally thought to be long enough to provide protection for a maximum of 90 days. A 15-character password is often considered good protection for up to a year.
A long password is a good password
When it comes to password security, length really does matter. We recommend opting for a password that's at least 12 characters long, even longer if you can. Each additional symbol in a password exponentially increases the number of possible combinations.
Increasing the password complexity to a 13 character full alpha-numeric password increases the time needed to crack it to more than 900,000 years at 7 billion attempts per second. This is, of course, assuming the password does not use a common word that a dictionary attack could break much sooner.
Long passwords are stronger, so make your password at least 12 characters long. These tips can help you create longer passwords that are easier to remember.