In our previous blog I introduced three factors that result in a password strength. Here are the first two I mentioned:
Factor 1. Number of symbols
Symbols here mean any character typically used or usable by the computer, for example numbers consist of ten symbols 0 to 9. Lower case letters a to z are a further 26 symbols. Letters therefore inherently generate more password strength compared to numbers when used alone. The previous example of ‘12345’ when compared with ‘abcde’ shows a huge gap in the total guesses required to cover the full scope of all passwords of that level, from ‘aaaaa’ to ‘zzzzz’ there would be 11.8m guesses. That is 11.7m more possibilities than 5 numbers. There are also upper-case letters, which doubles the number of letter style symbols to 52, add to that the regular numbers to get to 62 and we haven’t even explored the special characters yet.
Special characters for example “!”#$%&'()*+,-./:;<=>?@[\]^_`{|}~”
When we include a number, a capital and perhaps a dollar sign into our passwords, it requires anyone trying to crack through brute force to check the whole range of possible symbols if they want to achieve maximum success.
Factor 2. Password length
Surprise, surprise, a wider selection of possible symbols makes for greater password strength, but that would mean very little if your password is very short. For every additional symbol added to the length of your password, you multiply the number of guesses needed by the number of symbols. Each symbol further multiplying the total exponentially.
‘55’ would be 10×10 = 100 ( numbers only )
‘ab’ would be 26×26 = 676 ( lower case only )
‘1a’ would be 36×36 = 1296 ( numbers and lower case )
‘Ca7’ would be 62x62x62 = 238328 ( All cases and numbers )
‘F1sh1nG4’ would be 62x 62x 62x 62x 62x 62x 62x 62x = 218,340,105,584,896 ( that’s two hundred trillion )
This is assuming the cracker knew which symbol ranges were used, but as you can see, the jump from 3 length to 7 is quite substantial. If you are having a hard time with very large numbers, then I’m sorry to say that but these numbers are not very big if you are a computer. A password which many may regard as decent enough i.e. the aforementioned ‘F1sh1nG4’ is actually not very strong, plug it into and check it yourself: How Secure Is My Password
It shows an average of 2 hours, swapping the number 4, for its $ counterpart takes the total time up to 9 hours as we have now included a special character, but adding another 4 at the end instead of swapping to a $ and it now takes 4 days! That’s a much longer time to wait but still very possible on human timescales, and crackers don’t crack one at a time, they would crack millions of others in the same run.
This estimate is approximate, but it highlights exactly why a password length is so incredibly important.
“Okay, okay, I see where you are going there, remembering all those substitutions is tiresome and typing the special characters is clunky. Surely, I can just make my easy password longer then; maybe just pick a super long word I know, easy to remember, easy to enter and difficult to brute force. I’ll go with ‘Discombobulate’”
-You probably
On the face of it, 837 thousand years cracking time would seem like a very strong password. It does however suffer from a very big shortcoming in that it’s an actual word. It is in the Oxford Dictionary, but unfortunately also in the crackers dictionary too. How many words do you know, typically 20 to 35 thousand for the average adult. That’s not a super huge list, and most words aren’t used very much at all. Humans go about their days using only a few thousand.
Ben
Ben is looking after our clients’ IT systems and backups, making sure their equipment and infrastructure are responsive and reliable.
If you would like to talk to Ben about anything mentioned in this article please let me know and I will ask him to contact you and answer your questions.
Kamila
General Manager
Octagon Technology Ltd
