A passwords complexity is not as important as its overall length in terms of a brute force attack.

When most of us think of password security, we think that the more difficult the combination the better. Capital letters, lowercase letters, special characters, and numbers galore! The password requirements we see most often are a minimum of eight characters, at least one capital letter, one number, and one special character. But, you’re better off going with a password that is long but familiar instead of one that is short and complex. And I’ll tell you why.

But before I do, let’s confront the 800lb gorilla in this article: we’re going to have to use math no one has thought about since 8^th grade (I think). We’re going to use factorials. If we figure there’re 26 lower case letters and 26 uppercase letters—for a total of 52—our factorial would be represented by “52!”. It’s calculated by multiplying 52x51x50x49x48… and so on all the way down to 1. To determine possible password combinations, you take the factorial of the overall possible characters (here, 52!) and divide it by that same number MINUS the total number of characters in the password. So, the formula for a 10-character password is 52! / (52-10)!

I don’t understand WHY it’s done this way… there is a certain subset of the population that tuned out once math started stealing from the alphabet, and I am one of those people… but I understand THAT it’s done this way.

So, back to password safety. The latest figures show a hacker with a properly equipped computer can compute ~44.25 BILLION possible combinations per second. And if we go with the standard eight-character password, using capitals, lower case, numbers, and symbols (limiting ourselves to the symbols readily available on a standard keyboard), our formula looks something like this: 81!/(81-8)!, or 81!/73!. That calculation produces 1.296 QUADRILLION possible password combinations. Or… about eight hours of work using the sample hacker & computer.

But let’s look at the work we create for our hackers if we use a common phrase that we’ll never forget instead of some quirky 8-character amalgamation we’ve already forgotten. Instead of “Fr@nkl1n” we’ll use “Franklin Retirement Solutions”. While that drops our numerator factorial – we’re only using 52 possible characters instead of 81 – we’re helped by the fact that it severely decreases our denominator. Our new password is 29 characters long. So our new equation looks like this: 52!/(52-29)!, or 52!/23! Running that equation produces 9.122 UNDECILLION possible combinations (one undecillion is a one followed by 36 zeros if you’re wondering).

A password containing nothing but upper- and lower-case letters, but sufficiently long, can produce a staggeringly large number of variations

Our hacker would now need that computer to run for 6.5 QUINTILLION years to cover all combinations. Those infinite monkeys with infinite typewriters would likely produce all of Shakespeare plus a couple of new seasons of “Family Ties” before your password is ever cracked.

Hackers have gotten smarter, however, so this discussion isn’t the be-all, end-all of password security. More advanced password attacks use dictionaries of common phrases to cut down on the time it would take to guess a particular password. And the most common way to get a password is still a simple phishing attack, when an email from capita|one@jahöö.com asks for—and often receives—an unsuspecting user’s bank credentials. So the lessons to learn here about passwords is 1) be verbose and 2) be vigilant.