The Bitmill® Inc.

Link To This Page

Password Security 101
Password Length

Longer Passwords Enhance Computer Security

It's tempting to use short passwords; they are easier to type and easier to remember. Many computer systems require passwords of some minimum length, but for those that do not, consider the following reasons why longer passwords enhance computer security.

Suppose, for example, your wanted to select a 2-character password and you could choose a numeric password only. Then you would have 10 possible selections for each character, giving 10 x 10 = 100 possible combinations. With a little patience, a human cracker (let's call him Dick) would be successful within a very short time: just 50 tries, on average.

We can improve things by allowing alphabetic characters, both upper- and lower-case. Now you have 26 + 26 + 10 = 62 choices for each of the two characters, giving 62 x 62 = 3844 possible combinations. Now Dick would have a difficult -- but not impossible -- challenge.

Simply adding one more character puts the challenge nearly out of Dick's reach. For a 3-character password, he must try 62 x 62 x 62 = 238328 different passwords (on average, 119164 attempts).

Suppose Dick first tries every word. If your 3-character password is a common English-language word, he has even less of a challenge than the previous 2-character example. Since the English language contains only about 3000 common words, he breaks your password in just 1500 tries, on average. This type of attack is called a dictionary attack.

Now Dick decides to use a computer. Since a typical laptop's processor performs a couple of billion operations per second (2GHz), a well-written cracking program easily could try more than a million 3-character passwords per second. Clearly, 119164 attempts would take less than a blink and your password is compromised.

Let's add another character. A 4-character password selected from the same character set gives us 62 x 62 x 62 x 62 = 14776336 -- almost 15 million -- combinations. Dick's laptop barely breaks a sweat, but notice how rapidly things are improving. We enjoy the benefits of exponential growth!

Clearly, a longer password is a stronger password, and with the processing power of modern computers, any password shorter than 8-characters is simply not secure. In fact, Dick could crack even an 8-character password in weeks, if not days, using his fairly modest laptop. Simply going to 9- or 10- characters pushes this out to years -- now Dick needs a couple of mainframes and a lot more patience. (Unfortunately, many existing systems have a password policy which limits passwords to 8-characters, so frequent password changes are even more important!)

Password Management

An unfortunate side-effect of password policies which require longer passwords is that users are tempted to write them down -- few people can remember more than 7 unrelated items. The most common solution to this problem is the use of password management software. Password managers keep track of all of the users passwords in a secure file, usually protected by a single password or software key saved to a USB flash memory device or card.

Just to clean up a few loose ends:

The observant reader will point out that Dick cannot try even 50 combinations, since most systems will lock him out after just a few failed attempts. This is a good thing, but suppose Dick has obtained a copy of the password database! This is exactly what cracking programs use. Are you sure your password database has not been comprised? What about your favorite website's password database? (See Why Use Different Passwords).

In order to simplify the previous examples, we ignored punctuation characters. Obviously, these characters increase the number of possible combinations for a given-length password by some linear amount and should be included in your password selections.

I should also point out that many systems use some number of "combinations of all possible combinations" by appending more characters to each encrypted password. This value is called "salt" and effectively extends the password length by creating many possible results for each password.

Finally, even in a general discussion about password length, it is important to consider the special case of the LM Hash, used as part of the NT password encryption scheme for Windows. In this case, longer may actually be worse!

Custom Search

Link To This Page

Knowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.

<a href="http://www.thebitmill.com/articles/password_length.html">Longer Passwords Enhance Computer Security</a>

Your link will look like this:
Longer Passwords Enhance Computer Security

Thank you for your interest and support.

Valid XHTML 1.0!Valid CSS!