Tag: password complexity
Relative Password Strength
by Daniel on Dec.01, 2008, under Security
e are always told to choose strong passwords, over eight characters, with lower & upper case letter, numbers and symbols, but really what difference does it make.
Lets have a look at 4 different classes of passwords each 8 characters:
A) Lower case letters only
B) Mixed case letters
C) Mixed case letters and digits
D) Mixed case letters, digits and 32 symbols
The table below shows the number of possible combinations and the time to crack based on Elcomsoft‘s rates for md5 password recovery on a dual core processor (4.7 million passwords/second)
| Class | Combinations | Time to Crack |
| A | 208,827,064,576 | 44 seconds |
| B | 53,459,728,531,456 | 3 hours |
| C | 218,340,105,584,896 | 12 hours |
| D | 6,095,689,385,410,820 | 15 days |
So you can see a password that just has lower case letters can be cracked in less than a minute! While a password that covers the full spectrum of character types will take 15 days, that’s a lot of extra effort to get into your account.
So what if you want to have a strong password, but you don’t want to have to remember a string with upper case letters, numbers and symbols. Can you have a password, containing just lower case letters, that provides as much protection as a password that contains at least 1 character from each group? Absolutely, you just have to trade complexity for length. Have a look at this table to see how long passwords need to be to be at least as strong as a 8 character class D password.
| Class | Number of Characters |
| A | 12 |
| B | 10 |
| C | 9 |
| D | 8 |
So if you want a password of lowercase letters that provides the same level of protection as a more complicated password, you’ll need 12 characters.
Of course a password that is based on dictionary words is still not going to keep the bad guys at bay for long, it still needs to be a fairly random string of letters, there are plenty of ways to come up with good passwords, but thats another article.
-Daniel
