17 March 2007

Password Strength

Impromptu

I came across a thread at UbuntuForums where someone asked how safe the password “s8fd7fg67fdg6” is. All these years, and we still have password education issues.

Excusing the fact that the guy just mashed on the keyboard producing something unlike what he would actually use when password-picking time came, this is a horrible password. It would take a while to crack, but its hard to remember and could easily be a lot stronger. 600+ times stronger, actually.

So, putting easy to remember aside, I will make a few assertions. If you want proof, do the math.


  • The strength of a password is determined by the maximum number of attempts a brute force attack would require to find the password under ideal conditions. Ideal conditions in this case are knowing the maximum length of the password and the character set it was derived from. There is more to intelligent brute forcing (no, not a misnomer) than that, but that is beyond the scope of this piece.

  • The maximum number of attempts required, as described above, can be calculated by adding one size of the character set s, and raising the result to the length of the password l. That would be (s+1)l, of course. The +1 is in there because I said “maximum” above. We have to account for the possibility that a password is shorter than the maximum by including an empty character in the character set.

  • Working under the assumption that we know the maximum length of the password as well as its character set is quite reasonable, considering that the average password is 8 characters long*, the vast majority of passwords do not contain non-alphanumeric characters*, and minimum and maximum password lengths are very often imposed on users.



*These numbers came from a group of passwords acquired from MySpace users that fell for a phishing attack. You'd think that this represents the bottom rung of users, and you'd be right, but previous password auditing results have given similar numbers. Your average computer and Internet user isn't really that savvy. Juicy details at http://www.schneier.com/blog/archives/2006/12/realworld_passw.html.

If you start with a password up to 6 characters long, composed of numbers and lowercase letters, there are 2,565,726,409 possible combinations. Increasing the length by just one character yields 94,931,877,133 possible combinations. If you include capital letters in the character set instead of increasing the password length, you get 62,523,502,209 possibilities. Obviously, its better to increase your password length. But wait!

If you start with a 7 character password made up of lower case letters and numbers, and increase the length to 8 characters, you have 3,512,479,453,921 possibilities. If you change the character set instead, there are 3,938,980,639,167 possibilities. Woah!

So, what does this tell us? To over-simplify, if your password is going to be more than 7 characters long, character set matters more than password length.

1 comment:

Cheap SSL Certificate said...

Super piece of writing, I actually expect messages of your stuff.