Skip to Main Content

How Password Constraints Give You a False Sense of Security


The next time you’re forced to make a password—especially if a site requires you to use a crazy combination of uppercase and lowercase letters, or a number, or a symbol—don’t assume that these attempts at obfuscation automatically mean that your password is incredible and secure.

Randy Abrams, a senior security analyst at Webroot, ran some simple tests. He counted up all the potential passwords you can create in an eight-character password, including numbers, uppercase and lowercase letters, and symbols. (That’s 95^8 possible combinations, which comes out to 6,634,204,312,890,625, or 6.6 quadrillion numbers.)

Let’s assume that someone is trying to figure out your password with a typical brute-force attack. Assume they can test about 31 billion passwords per second. Cracking their way through your reasonably complicated eight-character password could take, at most, 212,903 seconds. That’s 3,548 minutes, or roughly two and a half days.

Now, let’s talk about constraints for a minute. Assume that the service you’re using requires you to have an eight-character password. Abrams notes that takes 70.6 trillion passwords out of the mix, since every password from a single character long to seven character long is now invalid. That saves the cracking tool a whopping 2,277 seconds, or nearly 38 minutes. That’s not too bad.

What if, in the name of security, you use an eight-character password (for memorization) and a service forces you to use uppercase and lowercase letters, as well as symbols. That’s more secure, right? It’s a more complex password, which makes it harder for an attacker to decipher? Not quite. As Abrams notes, you’ve just cut the pool of potential passwords by 18.5 percent, removing items like all-lowercase passwords, for example. Two days, maximum, for a system to sniff out your password in our scenario.

If a service also requires you to have a number in this password—and you take its advice and just do that, keeping your “complicated” password at a mere eight characters—you’ve cut the potential passwords a brute-force tool needs to guess by roughly 41 percent. In our scenario, that shortens the maximum time to 34 hours, or just under a day and a half.

Instead of worrying about the best way to make your shorter password harder to guess or brute-force, Abrams advises that it’s a lot better to pick a longer password, because even if a service has password constraints, they’ll have much less of an impact:

“You might have noticed that there is little effect on the longer passwords. Frequently there is also very little value in imposing constraints on long passwords. This is because each additional character in a password grows the pool of passwords exponentially. There are 6.5 million times as many combinations of 16 character pass words using only lowercase letters than there are of eight character passwords using all four character sets. That means that ‘toodlesmypoodles’ is going to be a whole lot harder to crack than ‘I81B@gle’”

You should probably not use a three-word passphrase, and instead stick to a passphrase that uses a lot of words—any length is fine—if you’re going that route.

Better still, use a long passphrase (that isn’t just a famous quote or fairly common phrase) for your password management app, add a second layer of security with two-factor authentication (a token you generate from an app or other hardware device, not a login code you receive via text message), and then use your password manager to generate 16+ character passwords full of uppercase and lowercase letters, numbers, and symbols for all your other services. Go wild.

And if you attempt to sign up for something that only lets you have a short password with constraints—especially if you’re only required to use a number—get nervous. If you’re lucky, maybe you’ll be able to set up 2FA there as well, for a little security boost.