|
|
Strength of Passwords
How to create passwords that cannot easily be broken by a brute force attack with a fast computer?
The table shows the number of possible passwords in three different scenarios: A = "only lower case passwords", B = "lower case mixed with numbers", and C = "lower case mixed with upper case and numbers" .
| A | B | C | |||
| Password | only lower case | lower case and numbers | lower case, upper case and numbers | ||
| length | abc…z | abc…z + 0123…9 | abc…z + ABC…Z + 0123…9 | ||
| 1 | 26 | 36 | 62 | ||
| 2 | 676 | 1,296 | 3,844 | ||
| 3 | 17,576 | 46,656 | 238,328 | ||
| 4 | 456,976 | 1,679,616 | 14,776,336 | ||
| 5 | 11,881,376 | 60,466,176 | 916,132,832 | ||
| 6 | 308,915,776 | 2,176,782,336 | 56,800,235,584 | ||
| 7 | 8,031,810,176 | 78,364,164,096 | 3,521,614,606,208 | ||
| 8 | 208,827,064,576 | 2,821,109,907,456 | 218,340,105,584,896 | ||
| 9 | 5,429,503,678,976 | 101,559,956,668,416 | 13,537,086,546,263,600 | ||
| 10 | 141,167,095,653,376 | 3,656,158,440,062,980 | 839,299,365,868,340,000 | ||
| 11 | 3,670,344,486,987,780 | 131,621,703,842,267,000 | 52,036,560,683,837,100,000 | ||
| 12 | 95,428,956,661,682,200 | 4,738,381,338,321,620,000 | 3,226,266,762,397,900,000,000 | ||
| 13 | 2,481,152,873,203,740,000 | 170,581,728,179,578,000,000 | 200,028,539,268,670,000,000,000 | ||
| 14 | 64,509,974,703,297,200,000 | 6,140,942,214,464,820,000,000 | 12,401,769,434,657,500,000,000,000 | ||
| 15 |
|
221,073,919,720,733,000,000,000 |
|
||
Compare the pink
cells in the table
If a computer can break the code A15 in 1 second, then it will take
458,432 seconds to break the code in C15 (which is 5.3 days).
This shows clearly the advantage of using combinations of lower case
(abc), upper case (ABC) and numbers (0123). It is even better to include
also other symbols (when allowed) such as # or @ in the password.
Compare the green
cells table
Let's say a computer can try 1,000,000,000 passwords per second and
we want to be sure that it cannot break our password in two weeks. Two
weeks is 1,209,600 seconds, so this computer can test 1,209,600,000,000,000
passwords in the two weeks. The green marked fields show what password
length is sufficient.
Conclusion
Use combinations of lower case, upper case and numbers (and other symbols
if allowed), and use a length of at least 9 to create sufficiently strong
passwords.
