Password probability
After my post the other day, I ended up having a conversation about passwords which reminded me of this XKCD comic: http://xkcd.com/936/
This comic illustrates the password problem nicely for people that understand entropy in information theory, but I was attempting to explain this to someone without this understanding. I thought it might be good to demonstrate how quickly the number of combinations grow with password length versus how quickly they grow with greater combinations of symbols.
First, the raw numbers:
| length | style | ||||
| lower-case alphabetical | mixed-case alphabetical | mixed-case alphanumeric | |||
| 4 | 456,976 | 7,311,616 | 14,776,336 | ||
| 5 | 11,881,376 | 380,204,032 | 916,132,832 | ||
| 6 | 308,915,776 | 19,770,609,664 | 56,800,235,584 | ||
| 7 | 8,031,810,176 | 1,028,071,702,528 | 3,521,614,606,208 | ||
| 8 | 208,827,064,576 | 53,459,728,531,456 | 218,340,105,584,896 | ||
now let’s look at the increase from a 4 digit lower-case password:
| length | style | ||||
| lower-case alphabetical | mixed-case alphabetical | mixed-case alphanumeric | |||
| 4 | 1x | 16x | 32.33x | ||
| 5 | 26x | ||||
| 6 | 676x | ||||
| 7 | 17,576x | ||||
| 8 | 456,976x | ||||
This definitely looks good for password length versus the number of symbols, but we should check this further before jumping to conclusions. For good measure, let’s look at a 6 digit lower-case password:
| length | style | ||||
| lower-case alphabetical | mixed-case alphabetical | mixed-case alphanumeric | |||
| 6 | 1x | 64x | 183.87x | ||
| 7 | 26x | ||||
| 8 | 676x | ||||
| 9 | 17,576x | ||||
It doesn’t look as good, it now took two characters to beat either symbol increase, but it’s still quickly outstripped. Let’s move the table up a bit and check 8 characters:
| length | style | ||||
| lower-case alphabetical | mixed-case alphabetical | mixed-case alphanumeric | |||
| 8 | 1x | 256x | 1045.6x | ||
| 9 | 26x | ||||
| 10 | 676x | ||||
| 11 | 17,576x | ||||
Again, the comparison improves the effectiveness of the symbol increase, but it still doesn’t take much to outstrip it with password length.
As you can see, while the increase of a single character on a lower-case password doesn’t necessarily beat moving to a mixed-case password, adding a few more characters quickly increases the number of permutations beyond that provided by the increase in the number of symbols as the growth rate is far greater.
So next time you use a password, don’t use something like 6d0nK3y8, use something like donkeybucketmondaytrumpet instead. It’s longer, but far easier to remember and more secure as well.
Are you using unrelated work for dictionary based attack ?
do you think that a dictionary based attack will ‘capture’ everydaygreenroboteatapples more easily than donkeybucketmondaytrumpet? or any other sentences ?
Or just because you want to avoid social engineering to retrieve the pass phrase knowing my background ?
@GeoVah
although dictionary attacks can work, they have to land on the exact combination of words in order to work. So no matter what, cabbagesquirrel as a password is less prone to dictionary attack than cabbage22. Just don’t use predictable words like names that people can guess, use normal words strung together.
So Yoda is also a password master “GreenRobotAppleEat” !