Recently I had a shower thought about passwords, namely that any rules we apply limit the possible passwords the user can choose. Which also means that there are less passwords an attacker has to go through when brute-forcing a password.
For simplicity I chose 4 character groups:
- lowercase letters: 26
- uppercase letters: 26
- numerals: 10
- special characters: 34
The calculations assume that there has to be at least 1 character of each group in the password.
This is not exhaustive of course, but I have to start somewhere.
In total there are 96 allowed characters.
This means, for an 6 character long password, without any rules, there are
782.757.789.696, options. Almost 800 billion.
With the rules above applied, there are only
220.127.116.110, options. Just a bit more than 2 billion.
That's a 370x difference!
To put that in perspective, instead of 1 year, it will take an attacker less than 1 day to brute-force that password.
To be honest, I don't know. It sounds like much, but on the other hand, increasing the length by ~1.3 characters will negate the difference. So a password that's 1 character longer will almost do so, and one that's 2 characters longer will provide even better security.
What are your opinions on that topic? Please comment below 👇
Follow me on Twitter for more of my thoughts, articles, projects and work.