top of page

Importance of Password length and formulation

Updated: Nov 8, 2023


Even though passwords are supposedly going to lose importance in the next few years with the implementation of FIDO, it will take time for it to be broadly applied, meaning you will still need a password to log into services that you are using now.

If this is a concern for you, we will give you some background about why password security is important.


Roughly around 81% data breaches are caused by weak or compromised passwords. And guess what? of that 81%, a 65% are passwords that are still being reused.

Considering that one of the most common attacks on passwords is the "Brute-Force Attack", this is quite alarming, given that these passwords are, almost with certainty, on the lists of passwords used by different applications and scripts to execute the attack. To defend against these attacks, from a user perspective, password complexity is the most important thing.

The Math, made simple.

Let's do the math on this:

  • The alphabet has 26 letters (depending on the language you speak, of course, this can result in adding one or maybe two more letters). So this gives us 26 combinations for each field.

  • If you take upper-case and lower-case letters into consideration, it increases to 52. 26+26. That's 52 options for each field.

  • Considering an 8-character long, lowercase password, it will give us a password space of 208.827.064.576, this is the number of possible passwords.

  • Considering that Hashcat demonstrated the ability in February 2019 to crack an NTML hash on a single NVIDIA 2080Ti at a speed of 100 billion hashes per second, our example would be cracked in about 2 seconds.


Obviously, the difficulty of the cracking will increase if we use a combination of numbers, special characters (symbols), and upper-case and lower-case letters. For more information on this, we invite you to visit Hive Systems password table.

Recommendations to increase entropy.

Password entropy is the way that password strength is measured, being determined by the number of possible combinations of characters that can be used to create it.

Given that theology advances at a very fast rate for both defenders and attackers, it's very difficult to determine a final and secure way to create a password that will be 100% secure and time lasting. But what we can do is make our password so strong that it is not worth the computing time for the attacker.

Ceramet Services recommendations on this aspect are:

  • Create a password that is more than 10 characters long to increase the entropy.

  • Always enable two-factor authentication when possible.

  • Use a combination of numbers, special characters (symbols), and upper-case and lower-case letters.

  • Use phrases and not words.

  • Use special characters in the middle of the phrase, not at the beginning or end. Most people use special symbols at the end or beginning of their password.

  • Use words and phrases that have something to do with you so you can remember them but are not easily socially engineered.

One example for a password would be: doiputmyh@nds0utthewindowwhenitra!ns?
This password is easy to remember and very strong because it takes into consideration psychological aspects like thought process, something you do, an object, and an action on said object.
  • If you have a hard time remembering long passphrases, you can always rely on pass vaults, which make it so that you only have to remember one long special password to access all your other passwords. There are many open-source password vaults out there that will help you with this issue. Also, you can use services like BITWARDEN and LASTPASS, depending on how jealous you are about sharing your information with third parties.

Last but not least, you can check if your password has been observed in any breach by going to haveibeenpwnedAs a side resource, you can also use the BITWARDEN and LASTPASS password test tools to test your password's strength.

Recent Posts

See All

CISA Adds Two Known Exploited Vulnerabilities to Catalog

On April the 13th, CISA added two known vulnerabilities to their catalog. This time we can find a vulnerability that affects the Android Framework, by meanings of a Privilege Escalation Vulnerability.


bottom of page