We all know passwords can be a nightmare. We’re constantly told to make them more complex — throw in some capitals, numbers, symbols! — until we end up with something like P@$$wOrd!23? that’s impossible to remember but supposedly keeps the bad guys out. Right?
Well… maybe not. For years, a classic webcomic, XKCD, offered a different, almost counter-intuitive approach. Now, new research from security experts (Hive Systems) shows that comic was right. The best way to make a password strong isn’t making it super complicated, but simply making it longer.
Confused? It makes sense! The usual advice makes passwords hard to remember, but maybe not much safer from online bad guys. This article explains why the old advice isn’t always best and shows you a simpler way.
- Why tricky passwords (like replacing ‘o’ with ‘0’) aren’t as safe as you think and can be easy for criminals to figure out.
- How using a passphrase (just a few random words strung together) is a really strong method, backed up by research.
- A little bit about why length is key today (don’t worry, we’ll keep it simple).
- Easy steps you can take to create safer passwords that are also easier to handle.
Debunking the Complexity Myth: Hard for You, Easy for Them
Remember that XKCD comic? It hilariously pointed out the absurdity of common password advice. It compared a password like Tr0ub4dor&3 — a prime example of following the “rules” (uppercase, lowercase, number, symbol) — with a simple four-word phrase: correct horse battery staple.
The XKCD Argument: Why Tr0ub4dor&3 is Surprisingly Weak
The comic’s brilliance lies in revealing a fundamental truth: humans and computers “think” differently about passwords.
- For Humans: Tr0ub4dor&3 is hard to remember. You have to recall the specific substitutions (o to 0, a to 4, e to 3), the symbol placement, and the capitalization. It requires mental gymnastics.
- For Computers: For Computers: Tr0ub4dor&3 is surprisingly easy to guess. Why? Because criminals have special computer programs that know all the common tricks people use! These programs don’t just guess random letters. They try common words, and they automatically try swapping letters for numbers (like ‘o’ for ‘0’ or ‘e’ for ‘3’) and adding common symbols.
Passwords that follow these “complexity” rules can often be cracked quickly because the programs expect them.
Hive Systems Data Confirms: Character Types vs. Brute Force Reality
The research from Hive Systems shows how long it takes powerful computers (using fast gaming-style processors) to guess passwords by trying every single possibility (this is called a “brute-force” attack).
Adding symbols or capital letters helps a bit, but the research clearly shows that making a password longer helps much, much more.
For example, a complicated 10-letter password might take years for a computer to guess. But an 18-letter password using only lowercase letters could take computers billions, trillions, or even more years to guess!
Adding just a few extra characters makes the number of possible combinations explode, making it way harder for computers to guess correctly, even if the password seems simple.
Enter the Passphrase
This brings us back to XKCD’s elegant solution: the passphrase.
XKCD’s Solution: Random Words for Real Randomness
Instead of contorting a single word into a “complex” mess, XKCD proposed using four or more random common words strung together, like correct horse battery staple.
- For Humans: This is often much easier to remember. Our brains are good at recalling words and stories. You can often visualize the phrase, creating a strong mental hook.
- For Computers: For Computers: Guessing a random phrase is incredibly hard. Think about ith. If you just use common English words, there are thousands to choose from. The number of combinations for just four random words is huge (like, trillions!). Adding a fifth word makes it astronomically harder.
This huge number of possibilities makes it practically impossible for current computers to guess your passphrase by trying every option. It’s a much better kind of ‘randomness’ than just swapping a few letters for symbols.
Crucial Point: The key here is random. iloveyou123 or passwordpassword doesn’t count! The words should have no obvious connection to each other or to you.
How Passphrases Measure Up on the Hive Charts
A typical four-word passphrase like correct horse battery staple easily reaches 25+ characters. Looking at the Hive Systems 2025 table, even passwords significantly shorter than this (around 16–18 characters) using multiple character types already reach quadrillions or quintillions of years to crack.
A long passphrase, even if it only uses lowercase letters, is so long that the time it would take computers to guess it becomes ridiculously huge — think longer than humans have existed! It keeps your account safe from guessing attacks, without you needing to remember a complicated jumble like Tr0ub4dor&3.
Why Length is So Important Today (Simplified)
Two technical concepts highlighted by the Hive Systems analysis further emphasize why length and modern practices matter:
Hashing: How Your Passwords Get Scrambled (and Why it Matters)
Websites shouldn’t store your actual password. Instead, they use a special process (called “hashing”) to scramble it into a code. When you log in, the website scrambles the password you type in and checks if the code matches the one they have stored.
It’s like turning your password into a secret code that only works one way — you can’t easily turn the code back into the password.
Good websites use scrambling methods that are deliberately slow for computers to perform. This sounds bad, but it’s actually good for security! If criminals steal a list of those scrambled codes, the slowness makes it really difficult and time-consuming for their computers to try guessing the original passwords. Using these slow, modern scrambling methods is an important way websites protect your information.
The Ever-Faster Threat: Hardware Advances
Criminals use powerful computers, often with the same kind of fast chips found in gaming machines, because these are good at doing the repetitive work needed to guess passwords quickly.
Computer power keeps getting faster and cheaper. Because the bad guys’ tools keep getting better, our passwords need to get better too. That’s why using longer passphrases and relying on websites that use those good, slow scrambling methods is so important to stay safe online.
🛡️ Your Action Plan: Building a Digital Fortress with Smarter Habits
Okay, theory is great, but how do you actually put this into practice? Here’s your straightforward plan:
1. Embrace Long, Random Passphrases
Aim for passphrases using four or more random words. Strive for a total length of at least 20–25 characters, but longer is even better! Don’t worry excessively about mixing character types if the length is substantial. Remember, randomness is key. Think purple hippo banjo glacier, not MyFavoriteCatFluffy.
2. One Account, One Unique Passphrase (No Exceptions!)
Password reuse is one of the biggest security risks. If one site gets breached and your password leaks, hackers will try that same password on your email, bank, social media — everything. Every single important account needs its own unique, strong passphrase.
3. Your Secret Weapon: The Password Manager
How can anyone remember dozens of unique, long, random passphrases? You don’t have to! Use a reputable password manager (like Bitwarden, 1Password, LastPass — noting its past breach requires careful consideration, KeePass, etc.).
- They generate truly random, long passphrases for you.
- They securely store them.
- They autofill login forms.
You only need to remember one very strong master passphrase to unlock the manager itself. Make that master passphrase extra long and memorable!
Good password managers have security settings you can check to make sure they are using strong protection — look for options related to “iterations” or “rounds” and set them high if possible (or use the secure defaults).
4. Activate MFA: Your Essential Backup
Multi-Factor Authentication (MFA), often called Two-Factor Authentication (2FA), is non-negotiable. This requires a second piece of proof (like a code from an app on your phone, a text message, or a physical security key) in addition to your password. Enable it everywhere it’s offered (email, banking, social media, etc.). It’s a crucial safety net that can protect your account even if your password somehow gets compromised.
5. Ditch Predictability Completely
Avoid using anything easily guessable in your passwords or passphrases:
- Your name, birthday, address, pet’s name, family names.
- Common dictionary words used alone or sequentially (password123).
- Keyboard patterns (qwerty, asdfgh).
- Obvious substitutions (unless part of a very long, random passphrase).
Secure and Sane Passwords Are Possible
Online safety rules keep changing as computers get faster. The latest research shows that tricky passwords we thought were safe might not be good enough anymore.
But the good news is that keeping your accounts safe doesn’t have to mean using passwords that are impossible to remember! By making longer passphrases from random words, using a password manager to keep track of them, and turning on that extra security step (MFA), you can protect yourself much better online. And importantly, it’s a system you can actually use without tearing your hair out.
Stop struggling with passwords like Tr0ub4dor&3.
Try making a long, memorable phrase using random words (like purple hippo banjo glacier — but pick your own!). It’s a simpler, stronger way to stay safe online.
Postscript: Here is an inspired password generator: https://www.correcthorsebatterystaple.net/index.html
References
- XKCD Password Strength — https://xkcd.com/936/
- Correct Horse Battery Staple — https://www.correcthorsebatterystaple.net/index.html
- Risks of Password Managers — https://www.schneier.com/blog/archives/2019/06/risks_of_passwo.html
- Password reuse, credential stuffing and another billion records in Have I been pwned — https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/
- Wide World of Cyber: Krebs and Stamos on How AI Will Change Cybersecurity — https://www.deezer.com/us/episode/633713672 [audio]
- Are Your Passwords in the Green? — https://www.hivesystems.com/blog/are-your-passwords-in-the-green
- What are Salted Passwords and Password Hashing? — https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/
- Sophos: A Guide to Strong Passwords — https://support.sophos.com/support/s/article/KBA-000005103
Final Word 🪅
