Just how safe do you think your online passwords are?

Keep reading to discover whether complexity is more important than length and find out just how safe your password really is… or isn’t.

The problems with so-called “complex” passwords

Nowadays online companies usually require more complex passwords for increased security. Or so we think…

You’ve seen it before: “Your password must contain at least 6 characters and include upper case letters, numbers and punctuation”… As if it wasn’t hard enough to remember all your online passwords already! And that’s exactly what I believe is one of the biggest problems that we face with these complex passwords – you simply won’t remember them. This also means that we’re probably more likely to write it down somewhere too.

An even bigger problem we face than not being able to remember our passwords is that most people think in exactly the same way. It’s a fact that you and I tend to group sections of the passwords (for example capital letters at the beginning and punctuation and numbers at the end) because this is how our brains have been trained. In psychology this is called ‘chunking’ and is where your brain naturally groups information. The problem here is that password hackers know this and use it to their advantage. They do this by using a tool called Mask Attack.

Hackers using the Mask Attack know about humans, and how they design passwords, and matches passwords to a simple common pattern.

Let’s take the password: James1958

This password matches a pattern; a common name and a year appended to it, and the attack can also be configured to try the upper-case letters only in the first position as it’s less likely to see an upper-case letter mid-way through a password.

The tool can therefore reduce this password to 52 *26*26*26*26*10*10*10*10 (237,627,520,000) combinations. This is broken down as follows, 52 (No. of upper and lowercase characters in the alphabet), *26 (Letters in alphabet), *10 (Digits known). And with a cracking rate of 100 million combinations per second means it just takes 40 minutes to complete! Scary, eh?

An even scarier thought is that a modern gaming PC can do between 3-6 million attempts a second. For those who don’t know, a gaming PC is very similar to any conventional PCs, with the main difference being that a gaming PC is specifically designed for playing computationally demanding video games that have high spec memory and hard drive space. Add ‘Mask Attack’ into the mix, which is a fairly average piece of equipment to brute force password hashes (a random string of characters that denotes a password), and you’ve got an average piece of consumer technology that can be used to break passwords within an hour!

Let’s hope your password didn’t make the most popular password list of 2014.

You can also check your password here to see how secure it is. You might find the results quite surprising!

So, what on earth can we do?

“Size does indeed matter!  Remember too that using a password manger and using different passwords to prevent your digital life coming down like a house of cards is also vitally important.” – Sam Temple Director Jumpsec

I understand that the main reason online companies force ‘complex’ passwords is to improve the unpredictably by increasing combinations. However given modern technology, for example Mask Attack, this isn’t as useful as it once was. Also, each time you increase the length of a password this actually adds more unpredictability then simply swapping a letter for a number or a piece of punctuation.

So given that we know length adds more difficultly to crack than complexity, the best password policy would be to make it a passphrase made up of 15+ characters.

For example: feedmehorseeggsonatuesday

Make sure that it’s something easy to remember, but stay clear of quotes because hackers can run your password through a list of quotes and the top million or so most used passwords contained in a list called a ‘Rainbow Table’.

With longer but easier to remember passphrases you will never need to write it down again and it’s very difficult for a machine to guess because lengths over 15 are near impossible to crack with current technology. This is the ideal solution, but the problem that we have is that companies are forcing you to have complex passwords (a number and piece of punctuation) that are therefore harder to remember!

This information is useful for both parties – online companies and the public alike – they need to enforce the rules mentioned above and better inform consumers of the best password practices. A transitional password policy could include a rule whereby passwords less than 15 must include standard complexity requirements of upper case letters and punctuation with passwords of greater length allowing all lower case. This could help individuals and organisations transition to long passphrases while still enforcing basic complexity requirements to strengthen current shorter passwords.

At Pockit we currently ask for a password that is at least 8 characters long with the added security of a second gateway (your secret answer) which adds another level of protection for you. This is under review and we are looking to transition to a more advanced policy in the future with long memorable pass phrases.

Think it’s time to a change your password? Don’t worry, login and follow the simple steps to change your password.


I would like to thank Frederic Kuzel who first introduced me to this concept, Paulo Serra who inspired me to research this and the team who completed our security review.

Ed Clarke-IT Team-

Posted by
Team @ Pockit