I have been thinking and talking more about security in recent weeks. For my regular readers you would have noticed that I have been concentrating on securing Windows 7, but one topic I didn’t discuss was that of passwords.
It seems everything we do with computers, you will usually need to enter a password at some point. Just think about how many places you need to input a password, such as logging into your computer, a web site, or software that is installed on your computer. With many of these places containing extremely private information, it is important that you use a strong, safe, password to prevent unwanted individuals from accessing your information. Let’s look at what is a strong password to protect your data.
It’s All About Length
Whenever we are requested to create a password, many places talk about creating complex passwords that include upper and lower case letters, numbers, and symbols (punctuation). They may also require a minimum length of the password, such as 8 characters. While creating complex passwords is a good start, it doesn’t always guarantee the most secure password. A complex password, using the rules stated above, that is 8 characters long is easier to crack than one that uses only lower case letters but is 15 characters long. Why is that? Let’s take a look.
The table below lists some numbers that I will be using through the remainder of this post. It contains the character count for various ASCII-printable characters on a computer.
| Character Count | Description |
|---|---|
| 26 | Lower or upper case letters only. |
| 52 | Lower and upper case letters. |
| 10 | Numeric digits. | 32 | Punctuation and symbols. |
| 94 | ASCII-printable characters. |
By using the above table we can determine the number of possible passwords by using one of the above variations if we know the length of the password. To do this we simply take the number of possible characters from the table, and raise it to the power of the length. For example, the number of possible combinations for an 8 character password that uses all the ASCII-printable characters would be:
Since the length is the exponent in the equation, it has the most influence on the number of possible combinations. As an example if we were to add one more character to the password, making it a 9 character password, the total number of combinations would jump to:
That is quite an increase just be adding one character.
Complexity Definitely Helps But Length is Still Better
If possible, you should always try to add complexity to any password you create, but you shouldn’t sacrifice length to make a password complex. As mentioned above, length has the most influence over the possible combinations of a password.
Let’s look at these examples. The first one uses all 94 printable ASCII characters and is 8 characters long (as before), while the second one uses only lower case letters but is 15 characters long.
ASCII Characters: 94, Length: 8
ASCII Characters: 26, Length: 15
That is a huge difference between the two lengths. Even though the second example uses 68 fewer ASCII characters, it still has the most possible combinations, simply because it is a longer password.
Using Longer Passwords
By using what I mentioned above, you should start looking at generating longer passwords for various sites that contain personal, sensitive, information. Sites include PayPal, your online banking web site, eBay, and e-mail sites.
Each site probably does have a limit on the number of characters you can include in your password. I know eBay and PayPal have a 20 character limit, while Google passwords can be much longer than 20 characters.
While there are limitations, they are still large enough to create rather hard-to-crack passwords, especially if you were to use all the ASCII-printable characters, and were to use the maximum size password.
eBay and PayPal
Note:
The Google example stops at 35 characters even though I know it can accept at least 64 characters. The 35 character limit was imposed on the calculator I was using, so I chose 35 so I could display a number.
By looking at the examples above, either 20 or 30 character passwords are secure enough where you wouldn’t need to worry about someone guessing your password.
While I didn’t go into any rules with regards to creating password, you can easily see that when creating passwords you should create them not only for complexity, but also for length.
If you liked reading this post, consider following Technically Easy through the following:
on April 17, 2010 at 10:09 am
The only thing you’re missing here is: The Human factor.
Long passwords, or with upper/lowercase characters and numbers are hard to remember, and hence there’s a much higher risk of them being written down, or saved somewhere that isn’t secure.
I loath sites that demand I use a password with upper/lower case and numbers, as this forces me to use a slightly different password to my norm, which means I won’t remember it!
on May 14, 2010 at 5:01 pm
All that I do is come up with something I can easily remember, then mod the crap out of it. For example
It’s a simple plan
1tz@5impl3Pl@n!
Access Denied
@cc3ssD3n13d!
I see you
!C(O.O)You! < this one would probably be awful to type repetitiously..
on November 3, 2010 at 6:27 am
I really like your idea on how to make passwords Chuck! LOL they are great but I still will not remember them. I have to write them down…and that was fine until I ended up with 2 books full of passwords…AAHHH!!!
mitz recently posted…How to create your own Ebay Store for your business
on November 3, 2010 at 8:15 am
Having a lot of passwords is a problem we all have. For me, I discuss how I keep track of my passwords in this post: Keep Your Passwords Secure with LockNote.
on January 10, 2011 at 10:29 pm
Use password manager software. It helps in generating, storing and entering password. No need to type in manually.
on August 18, 2011 at 8:29 pm
@Chuck: Sorry to bust your bubble, but sophisticated password-cracking software will know all of the same mods that you do. You’ll slow it down, but you probably won’t make it revert to brute-force, which means you’re in trouble.
XKCD has something to say on the subject: http://www.xkcd.com/936/
On the other hand, a long random sequence of all-lower-case words is *very* hard to crack. Conservative estimates of dictionary size are 5000 words or more, whereas the whole printable ASCII character set is only 94. So, just 4 random words – no capitalisation, no numbers, no special characters – gives you 5000^4 possible passphrases, which ends up being only one order of magnitude less than a completely-random, full-ASCII-set 8-character password. 5 words will be far stronger. And which one is easier to remember? No contest.
As an added bonus, most password crackers don’t target passphrases yet, so they’re trying every character combination, and a 4-word passphrase will probably be 20 characters long or more…
on September 21, 2011 at 11:49 pm
The longer, the more secure. But it’s also easier for you to forget it. LOL
Andrew Walker recently posted…Unique Golfing Experiences in Arizona