A password’s “strength” comes from three elements of the password:
- The length of a password. We measure the length as the number of characters password. “password” is 8 characters long. A longer password is more difficult to discover through brute force methods. This is because there is a larger set of elements to test.
- The range of characters allowed in the password. A large set of possible characters makes brute force discovery of passwords more difficult. This is because there is a larger set of characters to test in for each possible password element.
- The cracking speed of a brute force generator. Attackers can use brute forcing tools that will try to grind through all possible passwords. This relates to the speed of the cracker, such as 1,000,000 tries per second.
There is a simple formula to discover the number of possible password passwords on a system. You only need to know the set of possible characters & the length of the password.
Let us assume the password length is 8 characters. Let us also assume that there are no restrictions on reusing characters within the password.
We will calculate the number of possible Permutations With Repetition.
Let’s refer to the password as an “array.” An array is a data structure that is a collection of elements. If a password is 8 characters long, we’re saying that the password is an array that can have 8 elements in it. Each element gets it’s own character. We can visualize a password array using the password “PASSWORD”
P | A | S | S | W | O | R | D |
P is the first element. A is the second element. S is the third element and so on.
Let us assume only upper case letters are allowed in the password. The possible range of characters for the first element is: [A,B,C, … X,Y,Z]. So this gives us a 26 possible values that could be included in the password.
Unfortunately, passwords often include lower case letters. We need to add the range of lowercase characters in set. If the password is only Upper and Lower case values, that means we have 26+26= 52 possible values.
p | a | s | s | w | o | r | d |
P | A | S | S | W | O | R | D |
Passwords often have include Numbers. Since each element only has one character, this means that the set of possible values are between 0 and 9. The total number of possible values is 10, so we must increase our potential set of possible values to 26+26+10= 62 possible values.
When looking at our 8 character password, we’ll just include the ordered list of numbers from 0 to 7 in our example. Note that it could be any order of numbers included.
p | a | s | s | w | o | r | d |
P | A | S | S | W | O | R | D |
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
Finally, passwords often include special characters & punctuation. There are 33 characters & special punctuation marks on the standard US keyboard.
p | a | s | s | w | o | r | d |
P | A | S | S | W | O | R | D |
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
! | @ | # | $ | % | ^ | & | * |
In our visualization, we included the 4 arbitrary password examples. PASSWORD and some 8 character passwords consisting of only numbers & letters. In all likelihood, none of these examples are going to be correct. It’s likely to be an ugly combination of something like “72%aoPs4”.
Our total possible values has become 26+26+10+33=95 possible values. This means in our 8 character password, each element could have one of 95 possible values.
We calculate the potential set of values as n^k, where n is the set of possible values and k is the length of the the password (also referred to as the number of elements) . This means there are 95^8 possible values, which translates to 6,634,204,312,890,625 possible passwords. So about 6.6 quadrillion passwords. This is a big number.
Let’s assume you could create one password per second. It would take you about 210 million years to exhaust the potential set of passwords. Luckily, computers can help us test far more than one password per second. But it still would take time to get through the entire set of passwords. Cracking a password by trying every possible combination will take a lot of time. Is there a better strategy?