Update: 1.1.2019 – This article is still relevant today but a little dated. I wrote another blog post about how I feel PCI-DSS Requirement 8.2.3 is failing organizations and making them less secure.
Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time). You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).
As auditors we like to have facts to back-up our recommendations. What better fact than simple math.
Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
N^x
N = number of characters available
x = length of the password.
Lets do some simple math for six character passwords vs eight character passwords. We will even have complex passwords for the six character password and simpler passwords requirements for the eight character password.
If an individual was required to have all 4 character strength requirements (uppercase and lowercase letters, numbers, and special characters) and had a six character password we can compute how many guesses you would need to crack the password.
Upper alpha = 26
Lower alpha = 26
Number = 10
Special Char = 32
Note: Special character support depends on the system. In this example we are going with what Windows supports for passwords ()`~!@#$%^&*-+=|\{}[]:;”‘<>,.?/ and space. Also of note is Windows supports 65,000 additional Unicode characters but we will keep it to symbols found on the keyboard. Other systems do not support as many special characters as Windows.
94^6 = 689,869,781,056 (690 billion guesses).
Now we take a password with only upper and lowercase password requirements but make it an eight character minimum requirement.
Upper alpha = 26
Lower alpha = 26
52^8 = 53,459,728,531,456 (53.5 trillion guesses).
As you can see the eight character password, with few character requirements, has 74 times more choices than a “complex” six character password.
How about some computational proof! I use Cain & Abel to show how long it would take to bruteforce the example above with an NTLM (local windows account) hash and a MS-Cache hash (domain windows account). Note: Brute force attempts also depend on the complexity of the encryption method used. You will see that the complexity for an MS-Cache password is greater than NTLM.
NTLM six character, alphanumeric and special characters (here).
NTLM eight character, alpha characters (here).
MS-Cache six character, alphanumeric and special characters (here).
MS-Cache eight character, alpha characters (here).
You can see from the computational results from Cain & Abel show that it takes about 80 times longer to brute force the less complex eight character password compared to the more complex six character password.
2 thoughts to “Password Length vs. Password Strength”