Security experts suggest that you create passwords with 8 or more characters. Why does password length matter? When a hacker attempts a bruce force attack, longer passwords make it more difficult.
The success of the brute force attack depends on two things. 1) password length and 2) number of possible characters that are being tested.
Let’s assume that a brute force attacker will use all lower case letters, all upper case letters, plus about fourteen common keyboard symbols. That gives the attacker (26+26+14)=66 characters to work with. A 1-character password has 66 different combinations. While a 2-character password has 66*66 combinations or 4,356 combinations. The table below continues the calculation. The time to crack column is based on testing 250,000 passwords per second.
| Characters | Combinations | Time to Crack |
|---|---|---|
| 4 | 18,974,736 | 76 seconds |
| 5 | 1,252,332,576 | 5009 seconds |
| 6 | 82,653,950,016 | 4 days |
| 7 | 5,455,160,701,056 | 253 days |
| 8 | 360,040,606,269,696 | 46 years |
| 9 | 23,762,680,013,799,900 | 3014 years |
| 10 | 1,568,336,880,910,800,000 | 198,927 years |
In summary, when it comes to password security, more characters are safer.