What Makes a Good Password?

Posted by: Rea Maor In: Security and Prevention - Thursday, February 8th, 2007

Just to save you the suspense, the best password is eight characters or more long, and uses all three of lower-case letters, upper-case letters, and numeric digits. “tyZcv4b1”, for instance. But to understand why, we have to dive into the world of cracking.

“Cracking” is the word that means what people now think “hacking” means: breaking into computers. A “hacker” originally meant “an extremely good programmer”, one who was looked up to by others as a wizard. Bad media reporting led to public confusion. “Cracking” is actually the crime of breaking computer security for nefarious purposes, and actually requires no special skill, just brute force. A cracker is no more a hacker than a car thief is a master mechanic.

Brute force sounds just like what you think it means: using a program to try every possible combination of characters until it hits the right password. This trivial example loops through every possible combination of six lower-case letters:

#include <stdio.h>

int main()
{
  int a,b,c,d,e,f;
  for(a=97;a<123;a++)
    for(b=97;b<123;b++)
      for(c=97;c<123;c++)
	for(d=97;d<123;d++)
	  for(e=97;e<123;e++)
	    for(f=97;f<123;f++)
	      printf("%c%c%c%c%c%c\n",a,b,c,d,e,f);
  return 0;
}

This gives us 26 to the 6th power, which only has 308,915,776 possible combinations, so our example could be done inside an hour. If we just add two lower-case characters (26^8), that range grows to 208,827,064,576. So longer fields with a wider range of characters take a longer time, thus a cracker will try to exploit the natural human tendency to use the easiest password.

For passwords, birthdays (or any date), proper names, and recognizable words are right out. Password crackers know that using an important date is the most common memory crutch, and it’s trivial to run though all 366 possible dates; that takes less than a second. Proper names and dictionary words are a bad idea too, since there is no need to even generate the list but simply use a computer-readable dictionary file (the same file used for spell-checking purposes on office software), and try every entry.

Depending on how complete it is, a dictionary file takes anywhere from a few minutes to an hour to print out. This is still a much faster rate than our example, because the processor doesn’t have to generate the strings, just read then from a file.

To iterate through every possible combination of 26 lower-case letter, 26 upper-case letters, and 10 digits for an 8-character password… well, I’ll spare you the obscenely long string of digits… but it can take as long as 20 years! Yes, because that’s 62 to the 8th power, or more than 218 trillion.

So that’s why.


Related Posts:


4 Responses to “What Makes a Good Password?”

  1. Thor Says:

    In regards to good passwords I´ve recently stared using leetspeak (read: elite speak), change every letter that has a similarity to any numerical symbol to just that. Like Tom Sawyer becomes, T0m 54wy3r. Of course be careful to make your special rules like not changing every 3rd letter from latin to numeral or something.

  2. Rea Maor Says:

    Thats where we disccuse about algorithms, which will be a whole other article.

  3. webjourneyman Says:

    Of course one should start with a good long password before scrambling it. Like a sentance from a poem/song/book/movie, Good 10-15 letters at least.

    Turn that into some version of leetspeak, with special rules, like only replace the “e”, “a” and “s” (3,4,5) or only doing it to every other word in the sencence or every third.

    Should be pretty tough to crack?

  4. Rea Maor Says:

    Naturally, the longer the password is the harder it is to crack it down – in the end it’s nearly impossible to be Hack / Crack proof as picking out a strong password is only a small part of what we call “Security” but must definitely it’s the First & Must important step.

Leave a Reply