Most of websites that handle important information (Gmail, for instance) have some kind of brute force protection. Sometimes if you try more than X times it will lock the account or at least give you a captcha to solve.
Currently all the security experts keep saying the same thing: make long, mixed chars, high entropy passwords. This makes a lot of sense if you think about a RSA key, or something that could be decrypted offline, but is it really important when we talk about online account passwords?
For example, we create a password for Gmail using only 6 letters from the english alphabet. This is approximately 26^6 = 309 million combinations. If we consider that we can test 1 password per second (which I think is faster than we actually can, if you take into account the Gmail captchas), we will need up to 10 years to break and 5 years on average.
Points to consider:
- If you use the same password on different website, another website could be hacked and you password exposed. I’m assuming that the password is unique. Used only with Gmail.
- If somebody can grab the database they could brute force the hash of your password offline. I’m assuming that the website uses at least a salted hash (very unlikely that the hacker will try to break all passwords) and/or is very unlikely that the database will be hacked (it’s a fair assumption with Gmail)
- I am also assuming that your password is not a dictionary word or something easy to guess. This should rule out multiple account brute force (eg. testing the same common password across multiple accounts).
Is it safe to assume that we don’t need a really long password to websites as soon as we follow the other security measures? If we suggest that people use a long password just because they normally don’t follow the other security advice (use same password across accounts, etc). Aren’t we really trying to fix the symptoms and not the cause?