Passwords and passphrases are both secure – so choose what you prefer
In Issue 614 Ted Winter writes that his 25-random character password was rated excellent, whereas a random three-word password of 25 characters was rated poor. It’s worth putting this into context. Twenty-five random characters, based on a character set of, say, 60 (upper and lower case, plus 0-9 numerals), gives upwards of 10 to the power of 30 combinations, which is a million million million million million.
A three-word password based on 60,000 words (including plurals and different tense endings) gives upwards of 10 to the power of 13 combinations, which is over a million million.
So, the former is stronger. Let’s assume a password-cracking bruteforce attack trying every combination in turn at 10 every second, which works out as 2.4 times 10 to the power of 7 (20 million) attempts a year. At that rate, it would take 10 to the power of 23 years to crack a password made up from 25 random characters. That’s longer than the life of the universe so far!
If you have a password manager, and therefore don’t have to remember your passwords, then by all means use 25 random characters. But when you don’t have access to a password manager, using three random words still has a place. Cracking it by trying every combination of words (ie, not characters) would still take over 10,000 years. This can be increased by using the full 200,000 words in the English dictionary. And these passwords can be memorable while still secure. So, horses for courses? Andrew Smith
The Star Letter writer wins a Computeractive mug!