Can a password be TOO long?

I often hear security experts claim that creating a password that's too long can actually make things weaker.

Can anyone tell me if this is true, and explain why it's true/false?

Thanks!

 

If it's too long the user will have to resort to writing it down or making the password itself easier to remember.

That's it.

Otherwise more length will never hurt.

 

If you log your passwords in an app like Keepass you don't have to remember any thing.

 

That's true, but your master password has to be long enough to be memorable.

 

If you mean the password to access Keepass, that would depend who else if anyone also accesses your pc. Keepass isn't on line so no one can open mine as I'm the only person using the computer, so I use a simple password to get me in.

 

BINGO!
Same here.
I'd say it all depends on who you're trying to hide the password, if it's from the interwebz then writing it down would be no problem but imagine if it was from someone like people around you, i would not consider writing it down because they could find it some day . . .

 

Hey don't you guys remember that amazing encryption tool FolderLock ? That would so helpfully truncate passwords longer than 16 chars?


I kid... I kid..

 

Well, from what I read, the longer your password the better. And that is because of the two basic ways in cracking a password(not to get that confused with 'methods' to acquire passwords), which is either by guessing it...or by brute force hacking.

And even though, trying to guess a longer, more complex code would take longer and would be much more difficult...if not actually impossible to crack...and even though it is possible that a brute force attack can crack a long and complex password, I had read that the longer and more complex the password is, the longer it takes for a brute force attack to be successful. Therefore, you are at least buying yourself more time with a long and complex password.

What Is 'Brute Force' Dictionary Hacking?

Also, because the above article mentions how brute forcing involves dictionary software that recombines English dictionary words with thousands of varying combination...it's always better to use an alpha-numberic combination of characters....in addition to as many special characters as possible, which would slow down a brute force attack even more.

And as far as trying to memorize your password or passwords, I gave that up a while back ago and started writing my passwords down on paper and keeping them in my wallet. Although, actually I don't use what are considered passwords, but actually use what are called passphrases, which are a combination of personalized encrypted words that form a phrase that you make up...which, by the way, you may actually end up remembering over time.

 

An amusing perspective:

http://xkcd.com/936/

 

There's ways you can use long passwords with random characters and have them fairly easy to use without password software. Start with an encrypted text file. Contents don't matter. After encryption it will look like this but larger:

Code:

qANQR1DBwU4DtYA9uTfuIakQB/9w54fY4UZlR1THoeim/U8lKNvXb3ol8iwQhsk3
SxT3zp61oqYgLOYxKE0pmmsNEfMFYqBvaBGA/WibVzBHJFYZQXYA8PD04fD8qLpp
OZMPZe+VQpc1HfeMM5aWHyrXaOa+nL1D0fCORs+7m8/kdjf1s5CY+3gfT3V/x0Jj
8MCZCk26vhil3N76i0ise9Ouzj9YBOJcUBjuHMmZ8v9MluOBP9EX+7jv04CyoGMC
FsnL8sxTudep8h1jN4QQoXu/mhFoFkHeSS7VA6j74bzTmo+thFuWeSXqZ1PtrV+S
B6fdOJIIiy1yy+QDu2TIEosqlduaevLE041a//B78Or4uKBbB/42ygrO9SNxRo4W
/fSTHZiJZZEXvm8bgvju4lfItKda5G/54h+itSwcJKs9PHb7SUC+oQkymwRTdZUP
eM0Ow+GPDoIjT2QswtX4gsGAeBJQ8y+7ZUS3Lp4MvbGwKu56VhQgpTGlGaQMLhVQ
xFrGw2aEEbTzMurC4KSoQRlojkRGMg+BAFmh15UnNDVfC6jls9KqPpgD+GarB+Pn
5EUKiOGFMdK06DCgZgD+zNcu2dnilm7OLpUmn5Ooz9dTWF7JYhUeM8ibn3j19slT
2Gax8zmbdBqqkhHbgwg39ppfEI7nC6HCu6xNdZah2I7v3YpOfcKjJn7i6bG1R1/T
zGoPgxqlyewacMyf1a0UxsnoKW99oYx2XVSPnLSaw3fYo0ctTzf1PuKTrxZ1lep+
uoZZzz9HO14d3aObb94U7Wc1ko9RlHZVFJXykRxKuzL+bnOyTV/6GCG4cRNYy61Z
9tjtYskabva0SlmgkrbAzWoxAeVpqDxeMmw7Evx0nw8xRXoMof8NFwC5qdJrkbad
6jHS31JD42MsEEE+O4KLN0lvNSXkQDEOUAadSVffU0C+a+jQOoBPEeqN4AL95+ni
m33gyZ8PKsQ/UBRst0EBpRPpHCDgJePLFgaIHfdnd2epI002FBv4UdmVS29GzYjb
eYa3vDiMMdukrBV7A/okbqylEkdQhbuLP7S4at3Gls15oYzDgV4c+GgNcN71X29M
aTH64LcJ4ssCD+sum7WIKoUlUuRuBOxWORkOytpdutK6NC7n1mBMIoeNPdZ0VTEP
3vSF5mhVtcBdFSqTB706Pc8kyvv/UObQFW1Bmpg3JHM8gU3ixNMmYSVD2XS0izr6
362bGimLkTWY9phwdAvp3m4YiC/NHcMK2cLCue/a1XlDUOBXTGeWSD0wM5ptm2CA
SrUQKzbTti8ItgN7D5WoureCGrT1nlzESOxuRiYPVSDOPt7vCI10gQhS5awgWlj4
6o543SFeJW4rcdj3aK+ysJ0fsTS79mcIUuw/MmeUQTsWPT7HsfQo0MWXMvtk2/MQ
eN/5W9St/tSz+RlVpH18FvFFurXDYad8+LMBN+2efthNcaIisuelaRuB+xpueVjX
7EFPH6p55k4HaJEZNmID/rN7BBZ3nDvzbsyExxonUlbBbpcvv+4J37voxD2ngNg6
20WXpz8fDS0QH3S91VAXfU40742aIkTnerG6f5dV4vJGOcO4Rfw1nOeH3J7xPXL+

After that, it's copy and paste. All you need to remember is where it starts and ends. Example, starts on line 3, character 4, ends on line 4 character 5. remembering 3445 gets you:
PZe+VQpc1HfeMM5aWHyrXaOa+nL1D0fCORs+7m8/kdjf1s5CY+3gfT3V/x0Jj8MCZC

Make a dozen or so of these files for sources. Without knowing the length, how long would it take someone to find a password that's in plain sight?

Don't want source files? Then take a song you know well and use the first letter of each word, case sensitive, and all the punctuation marks that would be there.

 

But if they used a dictionary brute force attack the second option would be easier to crack or not?

 

Not. The dictionary attacks we hear about usually use one word + some numbers/ letters. Cracking a 3 word password would be like cracking a 3 letter password with a 200,000 character set. It would take a very long time.

 

Or just pick a quote from a book/ song that you like. Way easier to remember, doesn't involve writing your password down, and it can be longer than that.

Or don't bother with an huge password that forces you to add weaknesses. If you have a strong password between 16-22 characters and a character set of 94 no one's going to crack it with any modern hardware.

 

Can't stress this enough. Additionally don't fall victim to password reuse. You can have the longest most entropic password ever conceived by man. If you use it from banking to twitter and it gets discovered in a random database breach, what good will it do you?

 

I also meant to mention that it's a good idea to create complex and/or nonsensical answers to secret hint questions. Such as if a secret hint question is: What is your paternal grandmother's first name? Well if your paternal grandmother's first name is Ruth...using that as the answer is too easy for a hacker to hack.

However, make the answer something like b@Byee*Ruth-1s(a)Cand1e/b@R or something to that effect.

But the point is, it's not a good idea to give a normal, easy to guess answer to those types of questions.

 

I agree. I have no idea who came up with those but they should be fired and or hanged.

It defeats the purpose of a password when you enter FB-read info to one of those questions.