Password Strength Requirements

While the main premise of the article linked below is correct, it understates a key part of password cracking methodology. There are two primary means of cracking passwords: using word lists, and brute force. There are also many hybrid combinations, which is an important focus of the article.

In brute force cracking, every element of a specific character set is used in every possible sequence until the password is found. If you use a simple alphabet with no case distinction, there is a 26 character set. By adding case sensitivity, the size of the set is doubled. Add in numbers and it grows longer. Add in special characters and the set grows even longer. As either the password length or the length of the character set grows longer, the brute force cracking time grows. If the cracker is using a character set optimized for results, it may not include all possible characters, like extended ASCII, making it possible for the cracking software to never find the password. Many password requirement checkers don’t allow such characters, so that technique is not always useful.

The best passwords are both long and use characters selected from a variety of sets resulting in long cracking times for brute force attacks. As the dance between greater length and complexity and smarter cracking algorithms with GPUs continues, eventually we will turn to biometrics and other techniques (multi-factor) and the conventional password will slowly fade into obscurity.

You’ve Been Misled About What Makes a Good Password – [technologyreview.com]

“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.

A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.

SEE ALSO:
GPU Password Cracking
Password Cracking

Comments are closed.