Bay Area IT Support & IT Services

The Intivix Blog

Business IT Articles, News and Tips

Length vs Complexity: Which Is More Important For Passwords

How many passwords do you have? Ten, twenty, more than that? According to research done by NordPass (a password manager organization), the average person has 70-80 passwords. If you take a step back and think about it, that number probably won’t be as shocking as it was when you originally heard it. Email accounts, bank accounts, smartphones, laptops, social media, healthcare, streaming services, favorite online stores, and so many other websites, apps and accounts require passwords. And, let’s face it; passwords can be hard to remember.


Occasionally, instead of trying to remember 70-80 passwords, we may repurpose (ahem, reuse) passwords, or try to be clever and swap a zero for an O The thing is, even when you incorporate a few changes to a short password and attempt to make it more complex, it can still be cracked. Especially by computer programs that are created to crack passwords. So, what should you do? Come up with a series of random numbers, letters, and symbols for all of your passwords. Sure, but the odds of you remembering them are pretty slim. Let’s take the advice from the FBI and create passphrases.

What Is A Passphrase?

A passphrase is a group of unrelated words strung together that you use to access your accounts. The keyword there is unrelated, meaning they normally do not go together. For example, “UnicornJumpTurtleSlide”. It’s a series of words, that do not form an actual sentence but instead creates a picture in your mind (a pretty strange one at that).

Why Unrelated Words?

Unrelated words turned into a phrase are harder to crack than related words. For example, “MyDogLovesWalks” is a series of words that go together. Because this phrase is logical, it is easier for hackers to crack, and take advantage of.

Why Unrelated Words That You Can Visualize?

Unrelated words by themselves may not stick in your brain. But, if the unrelated words create a picture in your mind, you’ll be able to remember the phrase. Seriously, “UnicornJumpTurtleSlide”, will probably be in your brain long after you finish reading this article.

How Long Should My Passphrase Be?

The FBI indicates that your passphrase should be a minimum of 15 characters, but a couple of resources out there recommend going up to 25 characters. We say start with 15 characters and focus on the visual aspect of your phrase. You can build on more words (i.e. characters) later if needed.

Why A Passphrase vs. A Complex Password?

In the world of keeping hackers out of your business and accounts, length outweighs the benefits of complexity every time. Computer programs, and hackers, have been getting pretty savvy, and they are learning the complex tricks that we’ve come up with. But, longer passphrases still have them mixed up, which is what we like to hear!

What About A Password Manager?

A password manager, which generates random complex passwords and retrieves them when you need them, is a good solution. But, you still need a master password or passphrase to access the manager. And, with all your passwords stored in one place, a strong, lengthy, hard to crack passphrase is the way to go.

Why Does The FBI Care?

This all stems from the FBI’s Protected Voices initiative. The initiative provides tools and resources to protect against online foreign influence operations and security threats. In other words, their goal is to help people “protect their voice” from being hacked. A lot of the material they provide is geared toward companies and political campaigns, however, it’s also applicable to individuals as well. In general, their goal is to help protect and spread information on how to practice good cyber hygiene.

What About Businesses?

Passphrases apply to organizations as well, and employees should use passphrases for their work accounts. In addition, organizations should consider incorporating multi-factor authentication which means a user needs to provide two forms of ID in order to gain access to accounts. A passphrase would be one, and the second could be a fingerprint, token, key fob, or a PIN. Two-factor authentication gives added safety against hackers. Organizations should also consider their lock-out policy. Meaning, if a hacker attacks your organization with multiple, failed passphrase attempts, employees shouldn’t get locked out of their accounts. And, consider removing the requirement that passphrases include numbers and symbols, as long as the phrase meets the minimum character limit.

The bottom line is that hackers are learning our “tricks” with password complexity. Because of that, we need to change how we approach passwords and make it harder for them to take over our accounts and personal data. And, we can have a bit of fun doing it by coming up with passphrases that create an odd picture in your head, but is memorable!

Still, have questions about password management? Talk to us! Let us know what questions we can answer for you. We may even create a fun video to share with you.

Use [email protected] for this article