Strength of passwords
When using computers you will often use passwords to protect files, or to login to websites or programs. These passwords are like the key for a lock on a door; they prevent others from entering. Without the key you can't get in. If somebody else gets the key, you are not safe any more.
These
days, computers are very fast, and hackers make use of this speed to
find passwords, simply by trying millions of different passwords
until they find the right one.
How to create passwords that cannot easily be broken by a brute force attack with a fast computer?
Long passwords
To protect against this type of attacks a good strategy is to use passwords that are long enough. The longer the password, the longer it will take to find it.
Many different characters
But length of a password is not the only strategy to use. It is also useful to create a password that makes use of a wide range of characters. Passwords that consist of only lowercase characters are more easy to break than passwords that combine upper and lower case characters. In a moment we will see why.
Apart from characters from the alphabet it is also allowed to use numbers in passwords and sometimes also other characters. By including numbers and other characters in addition to the lower and upper case letters you can create an even stronger password.
Let's compare some different scenarios of making passwords.
The table below shows the number of possible passwords in three different scenarios:
| Password length |
only lower case abc...z |
lower case and numbers abc...z + 0123...9 |
lower case, upper case and numbers abc...z + ABC ... Z + 0123...9 |
| 1 | 26 | 36 | 62 |
| 2 | 676 | 1,296 | 3,844 |
| 3 | 17,576 | 46,656 | 238,328 |
| 4 | 456,976 | 1,679,616 | 14,776,336 |
| 5 | 11,881,376 | 60,466,176 | 916,132,832 |
| 6 | 308,915,776 | 2,176,782,336 | 56,800,235,584 |
| 7 | 8,031,810,176 | 78,364,164,096 | 3,521,614,606,208 |
| 8 | 208,827,064,576 | 2,821,109,907,456 | 218,340,105,584,896 |
| 9 | 5,429,503,678,976 | 101,559,956,668,416 | 13,537,086,546,263,600 |
| 10 | 141,167,095,653,376 | 3,656,158,440,062,980 | 839,299,365,868,340,000 |
| 11 | 3,670,344,486,987,780 | 131,621,703,842,267,000 | 52,036,560,683,837,100,000 |
| 12 | 95,428,956,661,682,200 | 4,738,381,338,321,620,000 | 3,226,266,762,397,900,000,000 |
| 13 | 2,481,152,873,203,740,000 | 170,581,728,179,578,000,000 | 200,028,539,268,670,000,000,000 |
| 14 | 64,509,974,703,297,200,000 | 6,140,942,214,464,820,000,000 | 12,401,769,434,657,500,000,000,000 |
| 15 | 1,677,259,342,285,730,000,000 | 221,073,919,720,733,000,000,000 | 768,909,704,948,767,000,000,000,000 |
Compare the pink
cells in the table
If a computer can break the code A15 in 1 second, then it will take
458,432 seconds to break the code in C15 (which is 5.3 days).
This shows clearly the advantage of using combinations of lower case
(abc), upper case (ABC) and numbers (0123). It is even better to include
also other symbols (when allowed) such as # or @ in the password.
Compare the green
cells table
Let's say a computer can try 1,000,000,000 passwords per second and
we want to be sure that it cannot break our password in two weeks. Two
weeks is 1,209,600 seconds, so this computer can test 1,209,600,000,000,000
passwords in the two weeks. The green marked fields show what password
length is sufficient.
Conclusion
Use combinations of lower case, upper case and numbers (and other symbols
if allowed), and use a length of at least 9 to create sufficiently strong
passwords.
Random looking passwords such as 19TqbFjotlD27 are difficult to remember, but if your grandfather was born in 1927 and if you can remember a known easy sentence like "The quick brown Fox jumps over the lazy Dog" (where nouns were written with a capital letter) it is suddenly much easier to remember it.
Try it for yourself. Just use a sentence you can easily remember (e.g. "I was born in the Year 1963", "My hometown since 2002 is New York") and turn it into a password (IwbitY1963 or Mhs2002iNY).
Last modified: 27 April 2010 - Copyright © 1995-2010 by Hein Bijlmakers - Contact me