Size Does Matter…at Least for Passwords
I have been thinking and talking more about security in recent weeks. For my regular readers you would have noticed that I have been concentrating on securing Windows 7, but one topic I didn’t discuss was that of passwords.
It seems everything we do with computers, you will usually need to enter a password at some point. Just think about how many places you need to input a password, such as logging into your computer, a web site, or software that is installed on your computer. With many of these places containing extremely private information, it is important that you use a strong, safe, password to prevent unwanted individuals from accessing your information. Let’s look at what is a strong password to protect your data.
It’s All About Length
Whenever we are requested to create a password, many places talk about creating complex passwords that include upper and lower case letters, numbers, and symbols (punctuation). They may also require a minimum length of the password, such as 8 characters. While creating complex passwords is a good start, it doesn’t always guarantee the most secure password. A complex password, using the rules stated above, that is 8 characters long is easier to crack than one that uses only lower case letters but is 15 characters long. Why is that? Let’s take a look.
The table below lists some numbers that I will be using through the remainder of this post. It contains the character count for various ASCII-printable characters on a computer.
|26||Lower or upper case letters only.|
|52||Lower and upper case letters.|
|10||Numeric digits.||32||Punctuation and symbols.|
By using the above table we can determine the number of possible passwords by using one of the above variations if we know the length of the password. To do this we simply take the number of possible characters from the table, and raise it to the power of the length. For example, the number of possible combinations for an 8 character password that uses all the ASCII-printable characters would be:
Since the length is the exponent in the equation, it has the most influence on the number of possible combinations. As an example if we were to add one more character to the password, making it a 9 character password, the total number of combinations would jump to:
That is quite an increase just be adding one character.
Complexity Definitely Helps But Length is Still Better
If possible, you should always try to add complexity to any password you create, but you shouldn’t sacrifice length to make a password complex. As mentioned above, length has the most influence over the possible combinations of a password.
Let’s look at these examples. The first one uses all 94 printable ASCII characters and is 8 characters long (as before), while the second one uses only lower case letters but is 15 characters long.
ASCII Characters: 94, Length: 8
ASCII Characters: 26, Length: 15
That is a huge difference between the two lengths. Even though the second example uses 68 fewer ASCII characters, it still has the most possible combinations, simply because it is a longer password.
Using Longer Passwords
By using what I mentioned above, you should start looking at generating longer passwords for various sites that contain personal, sensitive, information. Sites include PayPal, your online banking web site, eBay, and e-mail sites.
Each site probably does have a limit on the number of characters you can include in your password. I know eBay and PayPal have a 20 character limit, while Google passwords can be much longer than 20 characters.
While there are limitations, they are still large enough to create rather hard-to-crack passwords, especially if you were to use all the ASCII-printable characters, and were to use the maximum size password.
eBay and PayPal
The Google example stops at 35 characters even though I know it can accept at least 64 characters. The 35 character limit was imposed on the calculator I was using, so I chose 35 so I could display a number.
By looking at the examples above, either 20 or 30 character passwords are secure enough where you wouldn’t need to worry about someone guessing your password.
While I didn’t go into any rules with regards to creating password, you can easily see that when creating passwords you should create them not only for complexity, but also for length.