I have always chosen complex passwords over longer passwords, but which is actually most secure?

Lets consider a standard password creation scheme where we use a phrase and take the first letter of each word and substitute the occasional letter with punctuation or a number. So "Mary had a little lamb its fleece was white as snow" would become Mh4l1ifwWa$ - nice and complex. But how does that compare against a password like "mary had a little lamb."

Lets calculate the keyspace, in the complex password example each, of the 11 characters has 72 possible combinations assuming 26 uppercase, 26 lowercase, 10 digits and 10 punctuation characters. In the long password example each of the 23 characters can have 30 possible combinations assuming 26 lowercase and 4 punctuation (space, comma, fullstop and exclamation mark).

Complex password = possible combinations to the the power of the length = 72^11 = 2.7 x 10^20
Long password = possible combinations to the the power of the length = 30^23 = 9.4 x 10^33

So "mary had a little lamb." is 34,924,596,548,080 times more complex than Mh4l1ifwWa$. Length trumps complexity!

Labels: Security