Posted by Roger


I've written in some detail about the benefits of good passwords but in this article, I present evidence for the value of longer, more complex passwords.

Use stronger passwords to resist brute force attacks on your website

Brute Force Attacks

One common (but certainly not the only) way that hackers try to access your web server and other computer systems you may have, is by trying many, many different passwords in conjunction with a known user name (which commonly is an email address). It's a crude method but it can be effective.

Of course, the whole process is automated - there's no one actually typing these passwords in to a log in screen.

A survey of available worldwide data conducted by Verizon in 2020, showed that brute force attacks accounted for 34% of all successful IT security breaches in small companies (see page 80 in the Verizon report), so it's a serious issue.

The question naturally arises as to where do hackers get the lists of passwords from. Since we're talking brute force attacks, one approach the hackers use is to create lists of combinations of letters, numbers and special characters using a software program then feed this list into the automated systems they use to repeatedly attempt access to the target system.

It turns out that doing this is really very easy.

Password Data

This is the part where I show you why size matters. I want to compare passwords of 5 characters against those of 8 characters.

Longer, more complex passwords give more protection against brute force attacks on your website

So let's start with the 5 character passwords and work out how many combinations there could be, i.e. how many possible passwords could exist.

  • lower case letters only - 11,881,376 passwords
  • lower case and upper case letters - 380,204,032 passwords
  • lower case, upper case letters and numbers - 916,132,832 passwords
  • lower case, upper case letters, numbers and 32 special characters* - 7,339,040,224 passwords.

So, as you can appreciate, making the password more complex increases the number of possibilities significantly which will make the process to crack the password longer.

Now let's look at 8 character passwords.

  • 8 lower case letters - 208,827,064,576 passwords
  • 8 char (lower and upper)=53,459,728,531,456
  • 8 char (lower, upper and numbers=218,340,105,584,896
  • 8 char (lower, upper, numbers, 32 special chars - 6,095,689,385,410,8164

The increase in the number of possibilities is dramatic. Using the most complex 5 character password produces 7339 million options but with 8 characters, that increases to 6,095,689,385 million possibilities! Taking that to 12 characters, would mean 475,920,314,814,253,376,475,136 possibilities. Size matters!

The longer the password and the more complex it is, the harder it is for hackers to gain access to your systems.

To illustrate this, we're going to use data from Sucuri who state

In 2007, a computer would be able to make about 7 million password attempts per second. Now in 2021, one can make more than 100 million attempts per second.

Let's use that rate of 100 million attempts/second.

  • a 5 character password, lower case letters only will take less than 1 second to crack

  • a 5 character with upper case, lower case letters, numbers and special characters will take 73 seconds

  • an 8 character with upper case, lower case letters, numbers and special characters will take 19 years

  • a 12 character with upper case, lower case letters, numbers and special characters will take 150 million years.


Well, it's clear that the longer and more complex the password, the more effort it will take hackers to break it. In addition, to quote Sucuri again

The bigger the effort behind a brute force attack, the easier it is to detect and block with the right tools in place.

As I mentioned above, brute force attacks account for 34% of breaches in small companies. Interestingly, the corresponding figure for large companies is only 8%. The Verizon report does not give any details about why there is such a disparity, however, we could speculate that larger companies have stronger password policies in place to enforce longer and more complex passwords.

It's also worth mentioning that not all brute force attacks use full lists of all possible passwords combinations because, as we've seen, they can take a long time to complete. Another approach is to use a list of common passwords. These become available after a large company's security data is compromised. Attacks using these lists can be more effective and faster as the hackers believe (often correctly) that an individual will use the same password on multiple sites.


  • Raise awareness about password security in your organisation
  • Enforce a policy of using passwords that use lower case and upper case letters, numbers and special characters and which are at least 8 characters in length (better with 12 characters)
  • Use a password manager so people don't have to remember or write down the passwords
  • Don't reuse passwords across different sites
  • Review other methods of protecting your systems e.g. 2 Factor authentication.

Note: * The 32 special characters are - !"#$%&'()*+,-./:;<=>?@[]^_`{|}~

More from the blog

Website Return on Investment

Getting a decent return on the investment made in a website or online shop

Many website owners know their site is not bringing in the business it should but they’re not sure why or what to do about it. They’re unwilling to pay for a new website as they may just end up in the same situation. A useful step to take in these circumstances is to commission a website review which will examine all aspects of the site. Our independent website reviews provide a prioritised list of actions that a business can take to improve its website so as to bring in more business and achieve the desired return on investment.

Read more

How to Write Good Blog Posts

Writing good blog posts

I’ve been asked a couple of times recently about how to write good blog posts so I thought I would pull together some thoughts about this important topic. With so many blog posts available it is worth putting in some effort to ensure your posts are good quality as so many blog posts are poorly written. Yet, with some thought, a little planning and following some basic rules you can lift your posts above the noise and provide content that is worthwhile and easy to read and share.

Read more