|

The Math Behind a Good Password

This post is actually a preface to another one I’m in the middle of right now, on password managers. But I wanted to take a minute and explain why your workplace insists on bizarre passwords, and how you can capitalize on that in your personal life.

Why are there password requirements?

When you have to change passwords, it can be a real challenge coming up with one that is compliant with your organization’s password requirements that you can still remember.  If the company is enforcing standard password strength requirements, you need to have at least one capital letter, at least one lower-case letter, at least one digit, at least one “special character” (but some special characters are not allowed). For the love of all sanity, WHY?????

Here’s why:

Imagine a password that you could create using only one character, a lower-case letter. That password could be guessed in no more than 26 attempts, and likely fewer than that. Add the possibility that that one character could be upper-case and it would still take more more than 52 attempts to guess it. Add digits 0 through 9 to the possibilities and would still take only 62 guesses at most. Also allowing all 32 special characters gives you 94 possibilities of guessing that one character. That may sound like a lot, but it still only takes a few seconds per attempt.

This is why your password needs to be weird

So combining several characters together exponentially increases the effort needed to break that password. For example, if your password had to have two characters and only two characters, now there are 188 possible combinations, and that will take a human a lot longer to decode that password. Another character adds another 94 possibilities, for a total of 272. Now, a computer trying to figure this password out would take very little time using a “brute force” attack, which is just trying the possible combinations of characters in sequence, and the bulk of the time would be in waiting for the answering server to respond. However, most people make passwords they can remember, which means they have a word in them. Sophisticated software conducts “dictionary attacks” looking for words in the password, and getting cutesy with character substitution, like using t3ch13 for “techie” won’t fool a computer engaged in this kind of attack.

So for every character you add to your password, you increase the complexity of it and make it harder for an attacker to guess.  For more on how to create a strong, secure password that you can remember without writing it down, see my post on that here.  But stay tuned for how to use strong secure passwords that you don’t have to remember, and that you don’t have to create. Should be ready in just a few more days.

Similar Posts