This image shows an actual message I’ve received when signing up for an account on an online system. As you can see, the system can not accept a 20 character passwords. In the age when passwords are often too weak and do not provide a good protection, a system without a multi-factor authentication (MFA) is designed to only accept passwords of up to 12 characters. Considering the lack of MFA, you really want your password to be strong.
While in theory even a 12 character password can be perfectly adequate and strong enough to keep even supercomputers working for hundreds if not thousands of years, that’s not guaranteed just because of the length.
For example: “midnightstar” will be broken in mater of seconds to week (depending on some variables) because it is dictionary based and has no upper case, numbers or special characters. At the same time “XfgSpoxRwzxQ“, will be many orders of magnitude more secure and considered to be a very safe password. That’s without using numbers or special characters as you’ve noticed. But good luck remembering it. This is why something along the lines of “MidnightStarSablaze!” would be preferred by many. It is infinitely easier to remember, even while being longer.
The image below from Keeper shows relative strength of various kinds of passwords. As you can see the difference between the two variations of the “midnight star” password is 3 weeks and 300 years.
However, “iwentforawalktwodaysago” will take thousands of years, even without complexity rules applied.
So what’s the message here you may ask? It’s simple – give people a choice to use either a shorter password with complexity rules enforced as well as choice for just a long password. Both can protect an account equally well, but one is easier to remember than the other, which makes it that much more appealing.
Do I recommend using all lower case long passwords? No, not at all. I definitely recommend using passwords that are both – long and complex. Because you are using a password manager of some sort, right? Right?