How good is a “good” password?

You’re supposed to make your passwords super-long and super-random, but why?
Username & Password
Just how secure is this? (Santeri ViinamäkiCC BY-SA 4.0)

You might’ve heard that LastPass — a very popular password management tool — was recently hacked, and I imagine the news has ruined Christmas for their employees, to say nothing of their customers. In other words, it’s not good.

Put simply, if you’re a LastPass customer, then you should probably update your master password and your most critical passwords (e.g., email, banking, social media). That, and turn on two-factor authentication wherever possible.

We’ve all heard how people still use easily cracked passwords like “123456,” “Iloveyou,” and sigh, “password” in this, the Year of Our Lord 2022. Which got me wondering: just how beneficial, exactly, is a good password?

I’ve always made super-long, super-random passwords, but what’s the point? When a site tells you to make a password between 6 and 18 characters long, how much more secure is it really to use all 18 characters? Or to use a mix of upper and lowercase letters, numbers, and special characters?

This article from the security researchers at Hive Systems gets technical in places, and goes into great detail how hackers use graphics cards and cloud computing to dramatically reduce the amount of time it takes to crack a password, but here are some key takeaways:

  • A 6-character password consisting of upper and lowercase letters can be cracked instantly.
  • A 12-character password consisting of upper and lowercase letters will take 300 years to crack.
  • An 18-character password consisting of upper and lowercase letters will take 6 trillion years to crack.
  • Add in some numbers, and that 18-character password will take 100 trillion years to crack.
  • Throw in special characters, like ampersands and exclamation marks, and that 18-character password will now take 7 quadrillion years to crack.

(This chart presents a more thorough breakdown of the relationship between password complexity and security.)

To put those timeframes into perspective:

  • A “civilization-threatening” supervolcanic eruption is expected to happen sometime in the next 17,000 years.
  • Photosynthesis will become impossible in 800 – 900 million years, rendering Earth inhospitable to everything except single-celled organisms.
  • The Sun’s expansion will probably destroy Earth in 7.9 billion years.
  • All stellar formation in the universe will cease in 100 trillion years.
  • It’s believed that all remaining planets in all solar systems will be detached from their orbits in one quadrillion years.

(More fascinating/depressing timeframes can be found on Wikipedia’s “Timeline of the far future” page.)

So yeah, go ahead and create that 18-character password. By the time any remaining hackers have come anywhere close to cracking it, they’ll have far more pressing concerns to worry about than accessing your Gmail account. (This, of course, assumes that passwords are still a thing in the future, which might not be the case.)