Monday, November 1, 2010

Strong and weak passwords - What's the difference?

That's a very good question and according to Andrew Dekraker it's not all in the numbers but in the numbers, letters and special characters! If you get mathematics like Andrew does, specifically exponentiation, then you'll understand this next segment about creating strong passwords.

Lets take a very simple 1 letter password and try to guess what it is. Sounds easy right? Well it is. There are 26 letters in the alphabet and 52 if we allow upper case letters in the password. It would probably take me 1 min 30 sec to try all combinations (because I'm a slow typist). A computer program, even the simplest, would take a few seconds to try all 52 possibilities.

Lets expand our password, using only 4 lower case letters (26 to the power of 4) we have 456,976 possible combinations. I'd be dirt before I manually deciphered a 4 digit password but a computer program can decipher a 4 digit alphabetical password in .046 seconds. If you include uppercase letters that number increases but not by much. So now lets add 1 windows special character from your keyboard (!@#$%^&*()~`?><), the time to crack now increases to 1.36 MINUTES! That's still not very long but a huge improvement from a 4 lowercase letter password.

We all know that no one uses a 4 digit password (at least not after reading this!) so lets look at a longer sequence of a combination of upper and lower case letters with characters compared to an equal length lowercase only password. You can see in the chart below how a password using a All Characters (a combination of letters [upper and lowercase], numbers and special characters) would make it virtually impossible to crack with today's affordable technology. Given time even these passwords will be hacked easily but by then controlled access will have evolved as well.

See the chart below:

Weak & Strong Passwords

Special thanks to Andrew Dekraker, an IT Service Tech at's us!) for helping me to bring to light the differences between weak and strong passwords.

No comments: