Is the PC that is cracking your passcode by trying every permutation, hampered by a 3 attempts and you are out rule or a time out function ?
And why is a 4 digit number a suitable password for your credit card ?
Good points which bring me to the other point which I was going to raise. What constitutes an adequate password is also determined by what it is that you are protecting. Any decent online system will permanently lock an account after a few attempts (although there's a good study somewhere on Microsoft's website which discusses why the three-strikes-and-out is somewhat arbitrary and should really be loosened to allow at least five in an attempt to lessen the support processes around unlocking a password (which in themselves often present a security risk)). For such a system, there is little point using a complex password - you just need something which no-one is going to guess in their first three attempts, although this assumes that no-one is looking over your shoulder as you type. That's why a four-digit number is deemed suitable for your credit card although it's partly a compromise between security and being easy to remember.
But password protecting a file say, which someone can then copy and attempt to crack the protection at their (possibly-infinite) leisure, is a whole different ballgame.
Assuming that you even know that my password is wholly lowercase, a 12-char password is 26^12 (NOT 26 times 12) which is in excess of 95 quadrillion possible combinations.
A 8-character password made up from lets say 96 possible characters (thus 26 upper, 26 lower, 10 digits and a heap of symbols) has a possible 7.2 quadrillion combinations (96^8). Hence an order of magnitude difference.
Your "strength" calculation derived by simply multiplying the number of possible characters in any position by the length is meaningless.
... and is unfortunately very misleading if not downright inaccurate.
Yes, it's common practice to suggest, or even insist on an eight-char password including digits, special symbols etc. All of which is much better that an eight-char password made up just of letters especially if that's a dictionary word but it is still an order of magnitude easier to break than a non-dictionary word of 12 lowercase characters.
What would you find easier to remember, some of the suggested passwords above or:
- allyouneedislove
- iamthewalrus
- iwanttoholdyourhand
- thelongandwindingroad
(replace with any other title or lyric from your favourite song)?
The above are all MUCH more secure than an eight-char password made up from any combination of upper & lower case plus digits plus symbols and - certainly in my case - hugely quicker to type and remember.
Just to be clear though, we're talking about security in terms of a brute-force, try every possible permutation. You're far more likely to suffer a security problem due to rogue software capturing keystrokes of whatever length or capture of passwords over the network (especially WiFi).
My answers
@kalden
Good points which bring me to the other point which I was going to raise. What constitutes an adequate password is also determined by what it is that you are protecting. Any decent online system will permanently lock an account after a few attempts (although there's a good study somewhere on Microsoft's website which discusses why the three-strikes-and-out is somewhat arbitrary and should really be loosened to allow at least five in an attempt to lessen the support processes around unlocking a password (which in themselves often present a security risk)). For such a system, there is little point using a complex password - you just need something which no-one is going to guess in their first three attempts, although this assumes that no-one is looking over your shoulder as you type. That's why a four-digit number is deemed suitable for your credit card although it's partly a compromise between security and being easy to remember.
But password protecting a file say, which someone can then copy and attempt to crack the protection at their (possibly-infinite) leisure, is a whole different ballgame.
@DavidH
Sorry DavidH, but it's your maths that is wrong.
Assuming that you even know that my password is wholly lowercase, a 12-char password is 26^12 (NOT 26 times 12) which is in excess of 95 quadrillion possible combinations.
A 8-character password made up from lets say 96 possible characters (thus 26 upper, 26 lower, 10 digits and a heap of symbols) has a possible 7.2 quadrillion combinations (96^8). Hence an order of magnitude difference.
Your "strength" calculation derived by simply multiplying the number of possible characters in any position by the length is meaningless.
This is fairly standard advice...
... and is unfortunately very misleading if not downright inaccurate.
Yes, it's common practice to suggest, or even insist on an eight-char password including digits, special symbols etc. All of which is much better that an eight-char password made up just of letters especially if that's a dictionary word but it is still an order of magnitude easier to break than a non-dictionary word of 12 lowercase characters.
What would you find easier to remember, some of the suggested passwords above or:
- allyouneedislove
- iamthewalrus
- iwanttoholdyourhand
- thelongandwindingroad
(replace with any other title or lyric from your favourite song)?
The above are all MUCH more secure than an eight-char password made up from any combination of upper & lower case plus digits plus symbols and - certainly in my case - hugely quicker to type and remember.
Just to be clear though, we're talking about security in terms of a brute-force, try every possible permutation. You're far more likely to suffer a security problem due to rogue software capturing keystrokes of whatever length or capture of passwords over the network (especially WiFi).