Passwords: which is better? complexity or length ?

This morning, I came across a Gizmodo article “Why That Fancy Password Isn’t Nearly as Safe as You Thought” that introduces the concept of short and complex passwords are not safer than a few simple dictonary words.

The story links a webcomic image that illustrate the theory with the entropy concept.<xkcd>

Password strength

Is this true? As a regular listener of the Security Now podcast, I took the 2 passwords used in the webcomic and tested them on the Search Space calculator page and found the following :

The password “Tr0ubdor&3” has a search space of 6.05 x 1019
(or 60,510,648,114,517,017,120 possibilities)

The password “correcthorsebatterystaple” has a search space of 2.46 x 1035
(or 246,244,783,208,286,292,431,866,971,536,008,150 possibilities)

So, according to GRC’s Search Space calculator page (see the “How can I apply this to my daily life?” section), a few simple and easy to remember words are likely to be harder to crack using a brute-force attack than a shorter complex password (hard to remember) because of the difference in search space. The only downside is that the simple and long password involves more typing.

Conclusion, forget the old password rules that requires Uppercase, numbers and punctuation characters to raise the number of entropy (unpredictability) bits, a simple, easy to remember, lengthy password will maximize entropy bits, thus a better guard to guessing attacks.

Some research links: