Does password complexity matter?
Does password complexity really matter? And if not, what does?
Hive Systems charts show "1234" lasting seconds and long random strings lasting geological ages. Complexity matters. It is still not the main story for most accounts you care about.
Split the problem.
Offline
Backup files, USB documents, crypto wallets, encrypted archives. The attacker can throw GPUs at the ciphertext with no rate limit. Here the table is real. Unique, strong passphrase or random password. Generate it; store it in a manager. password.whc.services if you want a local generator.
Online
Gmail, bank, Spotify. Latency alone wrecks the table - hundreds of milliseconds per guess instead of GPU throughput. Services also add lockouts, rate limits, MFA, and IP reputation.
What actually burns online accounts:
- Reuse -
dodgy-weak-service.comleaks; attackers spray that password at your bank. Unique passwords per service. - Guessable / RockYou-class passwords - limited attempts still work if you pick
gmail1or a pet name. RockYou2024 is a reminder how short the popular list is. - Phishing - a quintillion-year password does nothing if you type it into a fake site. MFA helps. Passkeys (phishing-resistant) are the end state.
For online: unique + not obvious + MFA. Prefer passkeys and turn password login off where you can. I wrote the short version in 7,000 password attacks per second and the MFA push in Time to enable MFA everywhere.
Related
- Enable MFA Everywhere for turning MFA on across accounts
- MFA on Shared Accounts for when multiple people share a login
- Stop Using PII as Evidence of Identity for why PII is not authentication