Password strength

When using computers you will often use passwords to protect files, or to login to websites or programs. These passwords are like the key for a lock on a door; they prevent others from entering. Without the key you can't get in. If somebody else gets the key, you are not safe any more.

These days, computers are very fast, and hackers make use of this speed to find passwords, simply by trying millions of different passwords until they find the right one.

How to create passwords that cannot easily be broken by a brute force attack with a fast computer?

Long passwords

To protect against this type of attacks a good strategy is to use passwords that are long enough. The longer the password, the longer it will take to find it.

Many different characters

But length of a password is not the only strategy to use. It is also useful to create a password that makes use of a wide range of characters. Passwords that consist of only lowercase characters are more easy to break than passwords that combine upper and lower case characters. In a moment we will see why.

Apart from characters from the alphabet it is also allowed to use numbers in passwords and sometimes also other characters. By including numbers and other characters in addition to the lower and upper case letters you can create an even stronger password.

Let's compare some different scenarios of making passwords.

The table below shows the number of possible passwords in three different scenarios:

  • A = "only lower case passwords"
    (26 characters from a to z)
  • B = "lower case mixed with numbers"
    (26 characters from a to z, and 10 numbers from 0 to 9)
  • C = "lower case mixed with upper case and numbers"
    (26 characters from a to z, another 26 from A to Z, and 10 numbers from 0 to 10)

Password
length
A
only lower case
abc…z
B
lower case and numbers
abc…z + 0123…9
C
lower case, upper case and numbers
abc…z + ABC … Z + 0123…9
1  26  36  62
2  676  1,296  3,844
3  17,576  46,656  238,328
4  456,976  1,679,616  14,776,336
5  11,881,376  60,466,176  916,132,832
6  308,915,776  2,176,782,336  56,800,235,584
7  8,031,810,176  78,364,164,096  3,521,614,606,208
8  208,827,064,576  2,821,109,907,456  218,340,105,584,896
9  5,429,503,678,976  101,559,956,668,416  13,537,086,546,263,600
10  141,167,095,653,376  3,656,158,440,062,980  839,299,365,868,340,000
11  3,670,344,486,987,780  131,621,703,842,267,000  52,036,560,683,837,100,000
12  95,428,956,661,682,200  4,738,381,338,321,620,000  3,226,266,762,397,900,000,000
13  2,481,152,873,203,740,000  170,581,728,179,578,000,000  200,028,539,268,670,000,000,000
14  64,509,974,703,297,200,000  6,140,942,214,464,820,000,000  12,401,769,434,657,500,000,000,000
15  1,677,259,342,285,730,000,000  221,073,919,720,733,000,000,000  768,909,704,948,767,000,000,000,000

Compare the pink cells in the table
If a computer can break the code A15 in 1 second, then it will take 458,432 seconds to break the code in C15 (which is 5.3 days).  This shows clearly the advantage of using combinations of lower case (abc), upper case (ABC) and numbers (0123). It is even better to include also other symbols (when allowed) such as # or @ in the password.

Compare the green cells table
Let's say a computer can try 1,000,000,000 passwords per second and we want to be sure that it cannot break our password in two weeks. Two weeks is 1,209,600 seconds, so this computer can test 1,209,600,000,000,000  passwords in the two weeks. The green marked fields show what password length is sufficient.

Conclusion

Use combinations of lower case, upper case and numbers (and other symbols if allowed), and use a length of at least 9 to create sufficiently strong passwords.

Passwords you can remember

Random looking passwords such as 19TqbFjotlD27 are difficult to remember, but if your grandfather was born in 1927 and if you can remember a known easy sentence like "The quick brown Fox jumps over the lazy Dog" (where nouns were written with a capital letter) it is suddenly much easier to remember it.

Try it for yourself. Just use a sentence you can easily remember (e.g. "I was born in the Year 1963", "My Hometown since 2002 is New York") and turn it into a password (IwbitY1963 or MHs2002iNY).

Scroll to Top