Introduction to Password Strength

Between the vast number of services we log into and log out of every day, it’s often hard for us to remember that the strength of the passwords we use is a very important aspect of keeping passwords secure.

The strength of a password is typically determined by:

The mixture of different character types makes up what’s called the “keyspace”. The keyspace can be computed through the formula CN, C being the number of possible characters and N being the length of the password. To determine the keyspace of the “oh, so common” example, ‘password’, we would use the above formula CN. This example uses only lowercase letters which would bring the C in the formula to 26, i.e. the number of all possible lowercase letters [a-z]. The exponent N is simply the length of the password ‘password’ which in this case equals 8. For our example, the formula turns out to be 268 or roughly 208 billion.

So this means that for an attacker to perform a brute force attack, i.e. trying every single possibility in the keyspace, they would need to try roughly 208 billion possibilities. At first glance you may be thinking, “Oh, that sounds like a pretty secure number to me.” But in reality, it really isn’t.

There are many advanced programs and techniques that are used to speed up the password cracking process including: GPU based cracking, rainbow table assisted cracking, cloud based cracking, and statistical pattern assisted cracking. Using GPU base cracking, a single AMD Radeon HD 7970 can reach speeds of up to 8.2 billion passwords per second. [1] If an attacker were to use the brute force method he or she would crack our example “password” in just less than 26 seconds.

Following the above guideline for password strength is paramount to keeping your passwords secure against the multitude of password cracking attacks. The length aspect of the password strength guideline has been explained when using the CN formula. Increasing password length increases the exponent in the keyspace formula, thus increasing the keyspace. Avoiding dictionary words when creating a password is another factor in keeping passwords secure. Following this aspect deters the threat of a Dictionary Attack on your password. Using information about yourself in a password also makes the password insecure. Attackers may be able to glean information off of public mediums (Facebook, Google+, Twitter, etc.) or even possibly social engineer you into revealing some information they could potentially use to crack your password. There are specific password cracking programs that statistically analyze password dumps looking for common patterns. These programs then proceed to make use of these patterns when the cracking process begins, making the process much more efficient. Using a combination of different character types increases the keyspace of a password. The “password” example used only lower case letters makes the C in the CN formula 26. Using all of the character types brings this number up to 95. (26 from the lower case letters, 26 from the uppercase letters, 10 from the numbers and 33 from the special characters)

A few last notes about general password security before we end this discussion on password strength.

There is a seemingly age old argument of passwords vs. passphrases. That is, use a long, easier to remember passphrase compared to a more compact, but difficult to remember password. An example of a passphrase can be the name of your favorite book, “So Long, and Thanks for All the Fish” which would have a keyspace of 8536 or roughly around 2 duovigintillion (I swear it’s a real thing). Whereas, an example of a password could be ‘xYaQxrz8!’, which would have a keyspace of 959 or roughly 630 quadrillion. I’ll let you pick sides.

I stated earlier in this post that today we tend to need passwords for many services. One of the fastest ways to decrease your password security, regardless of a vast keyspace, is reusing passwords for different services. Unfortunately, if you reuse passwords and one of your services gets compromised, that service’s user/password database may get leaked. When this happens, you run the risk of someone using that password information to access your other services.

Thanks for taking the time to read, leave a comment below.

Works Cited Gibson, D. (2011). CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. CreateSpace Independent Publishing Platform. Goodin, D. (2012, Aug 20). Why passwords have never been weaker and crackers have never been stronger. Retrieved from arstechnica:


Now read this

Hello World! Redux

This is my first post in quite some time. As you can see, the site looks a little bit different. I recently received an invitation to blog on Svbtle and thought since my site was aging that I’d give it a try. Hoping to post more... Continue →