Better Living Through Thinking

Grimes is right on when he suggests that length is more of a factor than complexity. Attached is a graph showing how quickly three password character sets grow in possible combinations (logarithmic scale). I throw in a dictionary word set to illustrate another point about memorability.

I (personally) don't find a simple/long password any less daunting than a complex password, because for both to be effective the characters have to be somewhat randomly ordered. Even if we reduce the set of characters to 28 (lowercase alphas plus space and period), a long random string of those isn't much better than a slightly shorter but more complex password.

A "simple" password should be memorable, possibly using some word combinations (e.g. PayPal's password generating system used to be two dictionary words glued together with a couple of punctuation or digit characters--it may still be).

When this is the case, the "character set" (each word in the lexicon effectively becomes a character) is about 50K and has a solution space that grows much more quickly than single character password sets.

That is, a password that uses random 5 dictionary words (5-7 characters each) is roughly as strong as a 16 character password from a randomly generated small (28 char) set. Adding one more word (6 words) is roughly equivalent to a 19 character (28 char set) or 14 character (95 char set).

Character for character, however (this is where the graph is misleading), the dictionary set is far longer (25-35 total characters) than the 19 random characters from the small set, but the dictionary set will likely be far more memorable than random characters, which a good password should be. Throw in an intentional typo or two with a 4-word passphrase and you've got yourself a statistically tough one with few wasted brain cycles.

Fwiw, the old PayPal system (2 medium length dictionary words plus 1 random character) has a solution space roughly that of a 5 character complex password (that is, not very strong).