Jeffrey Goldberg, AgileBits:

Put simply, if the world’s fastest [sic] computer could check a password as quickly as it can add two numbers, and if you had a billion of those computers all guessing passwords, it would take more than a million times the age of the universe to go through all of the 52²³ possibilities from a 23 character password created with 1Password’s Strong Password Generator. Put even more simply: nothing is going to crack a password generated with our Strong Password Generator this way.

While 1Password is a fantastic app, the ability to create ginormous random passwords has encouraged many people to believe that they should use 50+ character passwords on the somewhat mistaken belief that a longer password is more secure.

Although this is theoretically true, the reality is that this is a classic example of diminishing returns. As Jeff Goldberg’s post above points out — and I strongly recommend reading the whole thing — as you approach even 10 characters in a purely alphanumeric password (so, leaving out numbers and symbols) — you’re already reaching a point at which you’ve got 5210 combinations, or a seventeen-digit number that well exceeds a quadrillion possibilities. Something that, as Jeff puts it, “will make high-end, specialized password cracking systems really sweat.”1

That’s just a mere ten characters, and we’re limiting ourselves to upper and lower-case letters. Every additional character you add after 10 makes the number of combinations exponentially greater, not to mention throwing numbers and symbols into the mix. By the time you reach even 23 characters, the amount of processing power required to guess all of the possible combinations is staggering — as long as you’re using a truly random password, of course. The math doesn’t lie.

The problem with long passwords

Still, you may think that there’s no harm in using a 50-character password if it makes you feel better. After all, even if it’s completely unnecessary now, computers are getting faster all the time, and what we can’t crack today might be possible tomorrow. However, this concern ignores the reality of both mathematics and computing power. In short, while computing power is ramping up exponentially, it’s not doing so by the same exponential factors that simply adding one or two characters to a password provides. A 24-character random password offers 70 times more combinations than a 23-character password, but a 32-character password is actually 576,480,100,000,000 times more complex. By the time you get to a 50-character password, we’re talking about an increase by a factor of 9.387547 — that’s a 9 followed by forty-seven other numbers. If a billlion supercomputers will take more than a million times the age of the universe to crack a 23-character password, I don’t want to even begin to think about how long it will take to crack a 50-character password. Anybody who really thinks that hackers or shady three-letter government agencies are going to this kind of trouble to crack their passwords has a seriously exaggerated sense of their own importance.

So not only is this unnecessary, but it can actually cause needless confusion. I helped somebody out recently who was having trouble logging into their mobile banking app — specifically, pasting a password in from 1Password. The app just wouldn’t accept it, and this person felt the app was broken. The bank’s tech support was no help either. In the end, it turns out the app was limiting the password entry to 32 characters, and anything longer simply wouldn’t paste into that particular field. The web version of the app had no such limitation, but a quick test revealed that even there, only the first 32 characters actually mattered. In other words, the bank in question (RBC) allows you to set a very long password over the web, but ignores everything after the 32nd character. Meanwhile, if you try to paste the same password into the mobile app, you won’t be allowed to, as that app’s designers set a 32-character limit. Notwithstanding debates about poor systems design and teams that don’t talk to each other, it’s obvious that it’s only the insistence on using an ultra-long password that causes these types of problems.

What’s particularly ironic here is that anybody using a longer password is quite literally experiencing an illusion of security. If you have a 50-character password with RBC, everything from the 33rd character onward can be whatever you like — their system will just ignore those extra characters entirely. In other words, there is zero practical security difference between using a 32-character password, 33-character password, or 50-character password.

Most systems I’ve run into these days are totally okay with 32 characters in a password. A few limit those to shorter numbers like 24 or 16, and I’ve found a few that only allow 12. As a rule, however, the shorter the limit, the more likely it will be communicated to the user and probably even enforced. However, somebody at RBC clearly felt that 32 characters was “more than enough” and decided that there was no need to tell users about this limit. Meanwhile, most typical users don’t run into this problem, while those who insist on using longer passwords are more likely to encounter this.

When you consider that longer passwords offer no real tangible benefit beyond 20 characters or so, it’s clearly a situation where users are putting themselves through potential problems without any real reason to do so. In the end, using longer passwords are a “security theatre” much like most modern airport security protocols, although in this case a self-inflicted one; users will “feel safer” with longer passwords, but in the end are potentially putting themselves through needless inconveniences just to preserve that feeling of “safety.”