{"id":197,"date":"2009-10-21T12:45:52","date_gmt":"2009-10-21T18:45:52","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=197"},"modified":"2019-01-01T16:14:28","modified_gmt":"2019-01-01T22:14:28","slug":"password-length-vs-password-strength","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2009\/10\/password-length-vs-password-strength\/","title":{"rendered":"Password Length vs. Password Strength"},"content":{"rendered":"

Update: 1.1.2019 – This article is still relevant today but a little dated. I wrote another blog post about how I feel PCI-DSS Requirement 8.2.3 is failing organizations<\/a> and making them less secure.<\/p>\n

Take this hypothetical scenario (Okay, it really wasn\u2019t hypothetical at the time).\u00a0 You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).<\/p>\n

As auditors we like to have facts to back-up our recommendations.\u00a0 What better fact than simple math.<\/p>\n

Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
\n
\nN^x<\/p>\n

N = number of characters available
\nx = length of the password.<\/p>\n

Lets do some simple math for six character passwords vs eight character passwords.\u00a0 We will even have complex passwords for the six character password and simpler passwords requirements for the eight character password.<\/p>\n

If an individual was required to have all 4 character strength requirements (uppercase and lowercase letters, numbers, and special characters) and had a six character password we can compute how many guesses you would need to crack the password.<\/p>\n

Upper alpha = 26
\nLower alpha = 26
\nNumber = 10
\nSpecial Char = 32<\/p>\n

Note:\u00a0 Special character support depends on the system.\u00a0 In this example we are going with what Windows supports for passwords ()`~!@#$%^&*-+=|\\{}[]:;”‘<>,.?\/ and space.\u00a0 Also of note is Windows supports 65,000 additional Unicode characters but we will keep it to symbols found on the keyboard.\u00a0 Other systems do not support as many special characters as Windows.<\/p>\n

94^6 = 689,869,781,056\u00a0 (690 billion guesses).<\/p>\n

Now we take a password with only upper and lowercase password requirements but make it an eight character minimum requirement.<\/p>\n

Upper alpha = 26
\nLower alpha = 26<\/p>\n

52^8 = 53,459,728,531,456 (53.5 trillion guesses).<\/p>\n

As you can see the eight character password, with few character requirements, has 74 times more choices than a \u201ccomplex\u201d six character password.<\/p>\n

How about some computational proof!\u00a0 I use Cain & Abel to show how long it would take to bruteforce the example above with an NTLM (local windows account) hash and a MS-Cache hash (domain windows account).\u00a0 Note:\u00a0 Brute force attempts also depend on the complexity of the encryption method used.\u00a0 You will see that the complexity for an MS-Cache password is greater than NTLM.<\/p>\n

NTLM six character, alphanumeric and special characters (here<\/a>).
\nNTLM eight character, alpha characters (here<\/a>).<\/p>\n

MS-Cache six character, alphanumeric and special characters (here<\/a>).
\nMS-Cache eight character, alpha characters (here<\/a>).<\/p>\n

You can see from the computational results from Cain & Abel show that it takes about 80 times longer to brute force the less complex eight character password compared to the more complex six character password.<\/p>\n","protected":false},"excerpt":{"rendered":"

Update: 1.1.2019 – This article is still relevant today but a little dated. I wrote another blog post about how I feel PCI-DSS Requirement 8.2.3 is failing organizations and making them less secure. Take this hypothetical scenario (Okay, it really wasn\u2019t hypothetical at the time).\u00a0 You recommend to your client that minimum 8 character passwords […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6],"tags":[79],"class_list":["post-197","post","type-post","status-publish","format-standard","hentry","category-fyi","tag-password"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=197"}],"version-history":[{"count":12,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/197\/revisions"}],"predecessor-version":[{"id":1213,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/197\/revisions\/1213"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}