Website Security: Password Complexity

I read an article this morning on website security, and choosing a password on Linkedin.

It got me thinking about my clients and security on their websites. It also got me thinking about my mum, who is pretty switched on with computers, but who has a constant battle with passwords.

The article talks about the current layperson understanding of secure passwords being wrong. People’s general understanding of website security is quite bad, but we all think (because most websites tell us this), that we have to add numbers and symbols for complexity… it’s not necessarliy true. It’s got to do with “bits of entropy”. See this cartoon: The point is that “Cl0th13r” is much easier to crack (hackers don’t guess, they use computer programs) than is “thisismypassword”. It is more down to the shear length of the password, than the human mind’s ability to remember it. You can test it using a password testing site. I used this site:, but I have no idea who owns that site, so please use one that you trust.

According to that site, a computer can crack the password “password”, instantly. But “mypassword” will take 59 minutes, and “thisismypassword” will take a computer 35000 years to crack.

Now there is a human consideration with website security. People can guess “thisismypassword”, but they can’t easily guess “TisWeTheGoat”, which is easy for humans to remember. Incidentally, that will take a computer 300 years to crack, so says that website.

The other consideration is service restrictions. That is: different websites have different criteria, but most want 8-12 characters with some variation. It’s best to give the longest you can – passwords are all about length. For this you need to have alternatives. Letters only: TisWeTheGoat (12 characters). Include numbers: T1sWeTheGoat (12 characters). Letters and symbols included: T1$WeTheGoat (12 characters).

You could live dangerously and use one passsord (with 3 variations) for all sites. Probably not advisable, but you could use something about the website in your own algorithm. For example, on the website you might use TisWeTheFive because “Apple” has five letters. For Amazon you would have TisWeTheSix. Use whatever identifiable thing you want, just be consistent and you won’t forget it. And remember: keep it long.

Remember: If someone works out your algorithm, you are in trouble, so I hasten to add that you should update your passwords regularly. I also add this: I don’t use this method. Personally, I use a password keeper, and I don’t actually know any of my own passwords. That makes some people nervous, hence the blog post. But for me: the risk of that password keeper crashing or being hacked, is worth the reward.