Skip to content

Does password complexity matter?

Does password complexity really matter? And if not, what does?

Hive Systems charts show "1234" lasting seconds and long random strings lasting geological ages. Complexity matters. It is still not the main story for most accounts you care about.

Time to brute force passwords by complexity, Hive Systems 2024
Offline crack times from [Hive Systems](https://www.hivesystems.com/password) - relevant when the attacker has the hash file.

Split the problem.

Offline

Backup files, USB documents, crypto wallets, encrypted archives. The attacker can throw GPUs at the ciphertext with no rate limit. Here the table is real. Unique, strong passphrase or random password. Generate it; store it in a manager. password.whc.services if you want a local generator.

Online

Gmail, bank, Spotify. Latency alone wrecks the table - hundreds of milliseconds per guess instead of GPU throughput. Services also add lockouts, rate limits, MFA, and IP reputation.

What actually burns online accounts:

  1. Reuse - dodgy-weak-service.com leaks; attackers spray that password at your bank. Unique passwords per service.
  2. Guessable / RockYou-class passwords - limited attempts still work if you pick gmail1 or a pet name. RockYou2024 is a reminder how short the popular list is.
  3. Phishing - a quintillion-year password does nothing if you type it into a fake site. MFA helps. Passkeys (phishing-resistant) are the end state.

For online: unique + not obvious + MFA. Prefer passkeys and turn password login off where you can. I wrote the short version in 7,000 password attacks per second and the MFA push in Time to enable MFA everywhere.

Olivier Reuland