• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Ed Password Format - Strength and Safety

Bell

Penultimate Amazing
B
Joined
Sep 9, 2006
Messages
21,050
A few months ago I read a thread on this forum (I think it was this forum) about passwords and why 12 characters is best/savest*. I can't find this anymore. Does anyone happen to know this thread?

Thanks!


* According to my spellcheck I spelled "savest" wrong :confused:
 
The word is safest. Soft f, not v.

Edit: with that being said, it might have to do with all the available combinations of 26 letters * 10 numbers * 32 punctuation marks raised to the 12 power. Presumably, it will take a super computer billions of years to crack it. Windows Calculator says that you can get 2.5856649203115638838176734288511e+8028 different combinations of passwords.
 
Last edited:
Little 10 Toes said:
The word is safest. Soft f, not v.
Click to expand...

Doy! :o

Edit: with that being said, it might have to do with all the available combinations of 26 letters * 10 numbers * 32 punctuation marks raised to the 12 power. Presumably, it will take a super computer billions of years to crack it. Windows Calculator says that you can get 2.5856649203115638838176734288511e+8028 different combinations of passwords.
Click to expand...

Windows Calculator huh? ;)


I think there was a link to an article in that thread.
 
12 characters? Weaksauce. Passwords need 16 characters and include both upper and lower case letters, numbers, and special characters to be considered strong these days.
 
You're better off using a long passphrase in plain English than a short cryptic password, provided the system supports it.
 
Mine is 14 featuring upper and lower case letter, numbers, signs, foreign words, and...

a typo! Crack that!
 
JWideman said:
12 characters? Weaksauce. Passwords need 16 characters and include both upper and lower case letters, numbers, and special characters to be considered strong these days.
Click to expand...
Using all of those different and awkward keyboard characters isn't really as helpful as you think it is.

If you use a 16 character password, with each character taken from a set of 64 elements, the number of possible passwords is (26)16 = 296, but if you limit your character set to 32 easy-to-type characters, such as the lower-case letters minus l and o, and the digits minus 0 and 1, you'll only need to add four more characters to your password to increase the number of possible combinations to (25)20 = 2100, or 16 times as many as you had before. It's a lot easier and less error-prone to type 20 easy characters that don't need the shift key than to type 16 characters that include many that are awkward and difficult-to-type, and the former is mathematically more secure. In general, lengthening your password a little is much more effective than including those "special" characters.
 
Towlie said:
Using all of those different and awkward keyboard characters isn't really as helpful as you think it is.

If you use a 16 character password, with each character taken from a set of 64 elements, the number of possible passwords is (26)16 = 296, but if you limit your character set to 32 easy-to-type characters, such as the lower-case letters minus l and o, and the digits minus 0 and 1, you'll only need to add four more characters to your password to increase the number of possible combinations to (25)20 = 2100, or 16 times as many as you had before. It's a lot easier and less error-prone to type 20 easy characters that don't need the shift key than to type 16 characters that include many that are awkward and difficult-to-type, and the former is mathematically more secure. In general, lengthening your password a little is much more effective than including those "special" characters.
Click to expand...

True, but for some reason a lot of sites where such security is desired limit passwords to 16 characters and REQUIRE at least one of each character type, while very few allow 20 characters.
As an old BOFH once told me, "I'd rather reset passwords daily than have my system compromised by a weak password."
 
JWideman said:
True, but for some reason a lot of sites where such security is desired limit passwords to 16 characters and REQUIRE at least one of each character type, while very few allow 20 characters.
As an old BOFH once told me, "I'd rather reset passwords daily than have my system compromised by a weak password."
Click to expand...

I use a 6 digit numeric-only password.

Course it changes every 15 seconds.

vasco_digipass_1.gif
 
Towlie said:
Using all of those different and awkward keyboard characters isn't really as helpful as you think it is.

If you use a 16 character password, with each character taken from a set of 64 elements, the number of possible passwords is (26)16 = 296, but if you limit your character set to 32 easy-to-type characters, such as the lower-case letters minus l and o, and the digits minus 0 and 1, you'll only need to add four more characters to your password to increase the number of possible combinations to (25)20 = 2100, or 16 times as many as you had before. It's a lot easier and less error-prone to type 20 easy characters that don't need the shift key than to type 16 characters that include many that are awkward and difficult-to-type, and the former is mathematically more secure. In general, lengthening your password a little is much more effective than including those "special" characters.
Click to expand...

JWideman said:
True, but for some reason a lot of sites where such security is desired limit passwords to 16 characters and REQUIRE at least one of each character type, while very few allow 20 characters.
As an old BOFH once told me, "I'd rather reset passwords daily than have my system compromised by a weak password."
Click to expand...

Sites that do that drive me nuts too. But from the security courses I've taken, the general sense in the IT Security community is that length is indeed better than complexity (oh, boy, the jokes that people can get out of that! :D;)). A few links I found that backs that up are here:
http://www.infoworld.com/d/security-central/password-size-does-matter-531

... here:
http://blogs.mcafee.com/mcafee-labs/password-policy-length-vs-complexity

... here:
http://seclists.org/basics/2008/Jul/207

And here, a "brute force" time estimating calculator:
http://lastbit.com/pswcalc.asp

Granted, that site obviously must make quite a few assumptions as to the sort of attack being used. But still, it helps illuminate the principle illustrated in the first three links: Adding merely a single character of length to a password is the equivalent of adding quite a few characters to the set of available ones for use. Adding more length eventually starts winning out over adding available characters to the set.
 
Towlie said:
Using all of those different and awkward keyboard characters isn't really as helpful as you think it is.

If you use a 16 character password, with each character taken from a set of 64 elements, the number of possible passwords is (26)16 = 296, but if you limit your character set to 32 easy-to-type characters, such as the lower-case letters minus l and o, and the digits minus 0 and 1, you'll only need to add four more characters to your password to increase the number of possible combinations to (25)20 = 2100, or 16 times as many as you had before. It's a lot easier and less error-prone to type 20 easy characters that don't need the shift key than to type 16 characters that include many that are awkward and difficult-to-type, and the former is mathematically more secure. In general, lengthening your password a little is much more effective than including those "special" characters.
Click to expand...

I'm not that good in math. Where did you get the 64 and 32 elements from?
And could you please explain your calculations to me?

Thanks!
 
Bell said:
I'm not that good in math. Where did you get the 64 and 32 elements from?
And could you please explain your calculations to me?

Thanks!
Click to expand...
Okay.

I chose the numbers 32 and 64 just because they're convenient for demonstrating my point. Both numbers are powers of two.

Two raised to the fifth power, which means 2 x 2 x 2 x 2 x 2, or 25, equals 32. An example of a set of 32 characters that are all easy to type would be abcdefghjklmnpqrstuvwxyz23456789. Using this character set for the case of a password consisting of a single character, there would be 25, or 32, possible passwords.

For the case of a password consisting of two characters, there would be 32 X 32 or 1024 possible combinations. This can be expressed as

322 = (25)2 = 25 x 2 = 210.

The identity that applies here is (NA)B = NA x B.

For the case of a password consisting of 16 characters, there would be 3216 = 1,208,925,819,614,630,000,000,000 possible combinations. This can be expressed as

(25)16 = 25 x 16 = 280.

(You can see the advantage of working with exponents when the numbers get huge like this.)

In the above case, if the character set is increased to 64 characters, which would necessarily involve using the shift key, there would be

(26)16 = 26 x 16 = 296 = 79,228,162,514,264,300,000,000,000,000 combinations.

That's 65,536 times as many combinations and an impressive increase in security, to be sure, but look what happens if you keep the set of 32 characters and just tack on four more characters for a total of 20. In that case you get

(25)20 = 25 x 20 = 2100 = 1,267,650,600,228,230,000,000,000,000,000 combinations.

That's 16 times as many combinations from adding four more characters as what you'd get from increasing from a 32 character set to a 64 character set.

And that's why increasing password length is more effective than using a larger character set.
 
Last edited:
Thank you Towlie. I thought the 32 and 64 elements were based on a character set (alphabet + digits for example) and not the other way around. That's what confused me.

Towlie said:
That's 65,536 times as many combinations and an impressive increase in security, to be sure, but look what happens if you keep the set of 32 characters and just tack on four more characters for a total of 20. In that case you get

(25)20 = 25 x 20 = 2100 = 1,267,650,600,228,230,000,000,000,000,000 combinations.

That's 16 times as many combinations from adding four more characters as what you'd get from increasing from a 32 character set to a 64 character set.

And that's why increasing password length is more effective than using a larger character set.
Click to expand...

So using all the lower case characters of the alphabet (26) and the 10 digits in a 16 character password would give me this result?
 
Bell said:
I'm not that good in math. Where did you get the 64 and 32 elements from?
And could you please explain your calculations to me?

Thanks!
Click to expand...

Bell, take a peek at that brute force time estimate calculator I linked up above. I know you'd just have to trust it for now since it's a black box, but seriously, it'll help illustrate what towlie is saying. As a simple, quick example: Suppose I set up a 5 character password, check all the boxes for uppercase, numbers, punctuation, etc., and set the speed to 2,000,000 passwords checked per second. That ends up taking only 68 minutes. Now, go to a password only 6 characters long, but only check the lower and upper case letters boxes. It's using far fewer characters -only letters and their capitals - but it's more than doubling the time required to break it (165 minutes).

All dirty jokes aside: Length is better than complexity.
 
Bell said:
So using all the lower case characters of the alphabet (26) and the 10 digits in a 16 character password would give me this result?
Click to expand...
No, that would give you 36 characters, but that's not really my point. My point is that you can feel free to include any characters that you find convenient and easy to type, but if you want to increase the security of your password, you'll get more benefit from simply making it longer than from including oddball, awkward, characters that you're not used to typing.
 
You must log in or register to reply here.

Back
Top Bottom