Password security: does size matter?

By James C | Thursday, 18 February 2016

Security application provider Splash Data have revealed their list of the 25 worst passwords of 2015 – with the Gold and Silver medals for the blindingly obvious continuing to go to 123456 and password.

Does size matter?

According to statistics portal Statista the typical character length of online passwords worldwide as of June 2015 was between eight and 12 characters, so does password length make a difference?

There are various sites on the internet that offer to check your password security strength, and even ignoring any that are traps to steal your password, for many their wisdom is flawed. Longer does not necessarily equal better when it comes to passwords.

Morgan Slain, CEO of Splash Data, says:

"We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers."

The difference between using 123456 and 12345678 is negligible – and while you might think that by replacing letters with numbers is smart move (like the 66 percent of people who combine letters and numbers) abc123 is only just outside the top 10.

In the article Why you can't trust password strength meters award-winning security experts Sophos say:

"The reality is that some guesses are far better than others because our password choices are not random... [Attackers] know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them." Making "password" into "passw0rd" does not make your account more secure.

How to be safe online

If password length isn't the last word in strength, and switching out letters for numbers is amateurish, what can you do to be safer online? Mozilla have some advice on creating secure passwords using a passphrase

Top 5 tips for password security

  1. Ditch the dictionary words for a passphrase. Follow Mozilla's advice and stop using "monkeys" as your password.
  2. Stop using the same password for every site: your passphrase should be unique for every site
  3. Use a password manager, such as Lastpass
  4. Change your passwords at least once a year
  5. Don't forget to scan your computer: malware and viruses can track your keystrokes, stealing sensitive information including passwords and credit card info. howtogeek.com have a handy article on how to remove adware and malware from your PC and Mac

Worried about your website

Want to keep your own website safe from hackers? It's Crazy Easy with our Site Protection and scanner, scanning your website every day for threats and problems.