[diggeryo]

This question doesn't necessarily fit into this forum, but I couldn't find any other forum that it fits into. So considering passwords are used on a lot of web pages and in emails, I put it in here.

My question has to do with password strength. I've read many times it is a good idea to have not only upper and lower case letters in a password, but also have numbers and symbols. This will make it harder to break. However, what I don't understand is HOW it would be harder to break? I understand by adding numbers and symbols into the mix, you are making it take that much longer for a brute force attack to be successful.

HOWEVER--if the person trying to crack your password doesn't KNOW whether you have all letters or a combination of letters, numbers, symbols, wouldn't any two passwords of the same length theoretically take the same amount of time to crack, no matter their make up?

For example, if I have two passwords of 15 characters:

abcdefghijklmno
x@65:f$kW8)?=9F

If the attacker doesn't know that I used the first one (with only letters), then he/she will still have to implement numbers and symbols in the attack, and it should theoretically take just as long to crack it.

Or am I missing something?

thanks,
mike.

[Advertisements]

Hi Mike,

HOWEVER--if the person trying to crack your password doesn't KNOW whether you have all letters or a combination of letters, numbers, symbols, wouldn't any two passwords of the same length theoretically take the same amount of time to crack, no matter their make up?

No its all about the amount of possible combinations that equals the password, lets say your using a six letter word for your password, that means you have 6 letters, that each have 26 letters that it could be from the alphabet, so that gives you 308,915,776 password possibilities. That could be cracked in seconds. Now if you mix in uppercase letters, symbols, numbers, the possibilities are a great bit more. Here is an example.. if the password is mypassword that would be cracked in seconds. Now if you made it MyP@$$w0rd it would take quite a bit longer even weeks to crack it.

Now don’t get me wrong, any password can be cracked with the right amount of time and power so changing them often is a must. Here is a link where I got some of the above information. http://www.utdallas..../STpassword.htm it has a chart and some examples you can take a look at.

Let me know if that answers your question

[BHowett]

Hi Mike,

HOWEVER--if the person trying to crack your password doesn't KNOW whether you have all letters or a combination of letters, numbers, symbols, wouldn't any two passwords of the same length theoretically take the same amount of time to crack, no matter their make up?

No its all about the amount of possible combinations that equals the password, lets say your using a six letter word for your password, that means you have 6 letters, that each have 26 letters that it could be from the alphabet, so that gives you 308,915,776 password possibilities. That could be cracked in seconds. Now if you mix in uppercase letters, symbols, numbers, the possibilities are a great bit more. Here is an example.. if the password is mypassword that would be cracked in seconds. Now if you made it MyP@$$w0rd it would take quite a bit longer even weeks to crack it.

Now don’t get me wrong, any password can be cracked with the right amount of time and power so changing them often is a must. Here is a link where I got some of the above information. http://www.utdallas..../STpassword.htm it has a chart and some examples you can take a look at.

Let me know if that answers your question

[diggeryo]

Thanks for the reply, BHowett (and the informative link). I understand what you're saying about about uppercase letters, symbols, and numbers making the password harder to crack. But what I'm saying is that if the cracker doesn't know that you used only lowercase letters, then his brute force attack will still have to test for uppercase letters, symbols, and numbers. So, as long as the attacker doesn't know you used a password with only lowercase letters, it should offer you the same protection as one of the same length that also has uppercase letters, symbols, and numbers.

[BHowett]

No its s systematic attack starting at the lower obvious choices first, so it would be much faster. The time taken would be dependent on what your password is.

[diggeryo]

Ok, I think I completely understand now. Would this be correct then--

If you used a password with only lowercase letters and the cracker did not know this (and thus has to still check for uppercase letters, numbers, and symbols), then cracking the password would take longer than if the cracker knew it were only lowercase letters but shorter than if you had used an uppercase letter, number, or symbol in your password.