We all have passwords. Most of us hate writing a new one for every new account we open. The traditional thinking always said that for a password to be secure, it was necessarily unwieldy to memorize. So who wants to memorize vRg5BoTA for your new Spotify account when you just solidified a mnemonic in your head for your Gmail password? Many older account systems limited your passwords to be between 6 and 12 characters, so increasing complexity through a larger alphabet and using non-dictionary words was crucial to give yourself a chance against password guessing attacks. If you’re still using 6 character passwords, I have bad news for you: you’re so laughably vulnerable, you don’t even register as roadkill for a dedicated cracking system — more like a mosquito trying to escape the pull of a fighter jet turbofan. A case-sensitive alphanumeric 6 character password has just 57 billion permutations. If you include all 95 printable ASCII character possibilities, that’s still just 690 billion permutations. Even setting aside obvious and potent optimizations such as dictionary word checking and 1337 substitutions, professional cracking systems can brute force 30 billion passwords per second!
More likely our readers already know that short passwords are practically useless and have adopted longer passwords of 12-20 characters or more. Perhaps you’ve read the recent xkcd comic demonstrating that several case-insensitive common words strung together are collectively more secure than conventionally complex 10-12 character passwords. In a general sense, yes, increasing length increases difficulty so much more quickly than making your password unwieldy. Some of us at Gemini prefer to use whole sentences as passwords (as long as 30-50 characters) where possible. Even if case-insensitive, a length of 30+ is so non-trivial that brute force attacks are eons beyond impractical. However, not all account services permit you to use passwords that long, so to remain secure, you have to rely on high complexity (and maximum length). If you have many of these types of accounts, it may be easier to use a password manager for those accounts such as LastPass, a tool that saves and encrypts passwords for your use, after prompting for a master password (this can be long and complex and also further bolstered by multi-factor authentication).
Sometimes it can also be difficult to manually devise a truly random complex password for these accounts, and for that there are many password generators, but I personally prefer using Wolfram Alpha because it gives a very thorough summary. Just enter “password of n characters”, where ‘n‘ is the length you require, and it produces a lengthy report. One interesting application is that it also spits out a phonetic form of your password in call signs, which can help you memorize the one they gave you or be used as a very long password itself. Wolfram Alpha also displays the password entropy and total permutations of passwords that length for varying alphanumeric sets, which is rather interesting to see, and you can change password input rules, too. For instance, if I want to write out an all-lower-case sentence of 30 characters for my password, WA tells me that there are about 10^42 permutations and 185 bits of complexity – far too difficult to brute force. In case you’ve never seen or done these calculations before, this is a terrific way to gauge how secure your passwords ought to be. It also gives nice examples of each for you to write down (the text isn’t selectable). This tool is quite handy and was also recently featured on Lifehacker.