Programming
Updated Mon, 30 May 2022 05:34:06 GMT

# Password symbols, length and 'strength'

Note: This doesn't explicitly relate to programming, but I was hoping this can be explained from a programmers point of view.

There are two things I simply don't understand about current 'password strength ratings'. This all pertains to brute force entry. (If these 'password strength ratings' relate to any other type of breach aside from using a common/popular password please let me know).

1) Why does it matter if I include numbers/symbols/uppercase letters as long as the password system allows for the possibility of using them?

For example lets just say:

a) The systems accepted characters are a-z, A-Z, 0-9, and their "shifted values" '!' to ')', so 72 possible symbols.

b) I use a password of length ten, so 72^10 possibilities.

c) My password is not in the top 10,000 most common/popular passwords used. So 72^10 - 10,000 possibilties remain.

Wouldn't an all lowercase password like 'sndkehtlyo' be identical strength as 'kJd\$56H3di' since they both share the same possibility of including the additional characters? Doesn't the brute force algorithm have to include those numbers/symbols/uppercase regardless of whether or not I use them? It seems like these rating systems believe a brute force attempt will try all 26^n lowercase passwords first, all 52^n passwords second, then all 62^n passwords, etc, etc.

2) Why does that even matter? I have yet to come across any password system that doesn't lock you out after some small fixed number of attempts (usually 5). How can brute force approaches even work these days?

I feel like I am missing something fundemental here.

## Solution

1) Cracking a password doesn't need to happen in one pass. A well implemented brute force crack may iterate first through small ranges of characters and then work its way into caps and numbers. Starting with the simplest ranges first (maybe just lowercase a-z) will find passwords of those unfortunate enough to have constructed a weak password. They may also start with dictionary attacks or Most-common-passwords-used attacks first as they take very little time.

2) Crackers aren't going to brute force right through some online service's login prompt. Anyone truly intent on getting access to an account would retrieve the hash of a user's password and crack it on their own machine, not over the internet. While there are practically infinite ways to hash a password there are some very common methods that can be identified by properties such as the hash's character length. You can read more about common hash algorithms in this Wikipedia article.

• +0 – Okay that makes a lot of sense. Now I'm curious, in order to be able to crack the password offline, they would need access to the hashing function right? Are these reverse engineered somehow or are they obtained/leaked from comprimised systems? — Jan 12, 2013 at 21:45
• +0 – @Pondwater Edited my answer to cover those questions :) — Jan 13, 2013 at 02:56

External links referenced by this document: