By: Emmanuel Carabott

Emmanuel Carabott — Fri, 11 Dec 2009 10:13:19 +0000

I agree that using special characters will significantly increase the password strength. The reason I didn’t mention that was as it also makes the password harder to remember which is, in my opinion, one of the major issues with people not using strong passwords. In retrospect though I think I should have at least mentioned it.

If we take an 8 character password which is composed of 3 lower case, 3 upper case and 2 digits we’d have a password that gives about 30 billion combinations; while if it were to be made of 2 lower case, 2 upper case, 2 digits and 2 special characters that would make about 45 billion combinations

More than that, anyone trying to brute force your password might actually not include special characters at all in his brute force set due to the bigger timescale required, thus it would ensure that for that attack your password cannot be cracked at all.

That being said length is obviously your ally as well. In order for a brute force attack to crack the password given in the example: Mc2322UtPaDnW2D an attack needs to be configured to go through 14 qunitrillion combinations (thats 10 to the power of 18). If one adds special characters to this password it can be shortened by a couple of characters and keep the same number of combinations, so just see what’s easiest for your users to remember. In any case both passwords will need 1000s of years to brute force so one should be pretty safe there.

By: blak3x

blak3x — Thu, 10 Dec 2009 17:12:19 +0000

Good post. Though one should also mention that ideally not only letters (caps and not) and numbers should be used since brute force applications still find it relatively easy to crack them. One should also use other special characters such as @#$ etc.

Comments on: Protecting your assets using one word – The Password

By: Emmanuel Carabott

By: blak3x