I was typing in my password to PGP when I began to wonder: In order to have passwords that are equally hard to break, how much longer would a simple password have to be than a complex password?

For the task I define a simple password as being made up of just lowercase characters and spaces, 27 possible characters, and a complex password as being formed from lowercase, uppercase, numbers, and punctuation -- 26 * 2 + 43 = 95 possible characters.

The number of possible passwords of a certain length l using a certain number of characters c is the number of characters to the power of the length of the password. So to find a ratio of the length of complex passwords to simple passwords which each have the same cracking difficulty, we find:

27^L = 95^M where L = the length of a simple password and M = the length of a complex password of equal difficulty.

Taking the log of both sides, we have L log (27) = M log (95).

log (27) = 1.431 and log (95) = 1.978. Divide both sides by log (27) and we have:

L = 1.38 * M

So a simple password need only be about a third longer than a complex password to be equally safe.