Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 9 subscribers
  • Views 269 views
  • Users 0 members are here
Options
You may also be interested in
This discussion is locked.
You cannot post a reply to this discussion. If you have a question start a new discussion

Password strength?

Howard Warren
When it comes to passwords, I've usually used a 10 character random mix of uppercase, lowercase, special and numeric characters, and have never had any issues with these being accepted as adequate. (Before I get told off, I have a different password for each application I use!)


However, when recently setting up a new application, my 10 character password was described by the system as "weak". So I used a 19 character password (again, a random mix of characters) and this time it was described as "fair".


Given that there are 256 ASCII characters, the determined hacker has a 1 in 5.709 X 10^45 chance of striking it lucky with my 19 character password. (I say lucky - he'd be sadly disappointed at what he found after all that effort). So my question is, what lengths would one have to go to, in order to create a password that could be described as strong?
Parents
  • 0
    I have to disagree with your assessment of the odds against the hacker. While there may be 256 ASCII codes, many of these are unusable (such as ASCII 127 which is delete). The standard keyboard has about 48 character keys, which with the shift key expands this to 96. However this still leaves the hacker with 4.6 x 10^37 options, and that is assuming he knows the length of the password. I would further point out that by demanding a password MUST have (as opposed to may have) uppercase, lowercase, numeric and special characters (ULNS from now) you are actually reducing the number of possible permutations and so potentially making the password weaker.

    Most password checkers I have seen require 8 (or more) characters made up of three out of four of ULNS and categorise random collections of these as strong. I suspect the instance you are describing is one where the check for strength has a mistake in the algorithm. Are you able to say what the application was (though of course I would fully understand if you decline to say on a public forum).

Reply
  • 0
    I have to disagree with your assessment of the odds against the hacker. While there may be 256 ASCII codes, many of these are unusable (such as ASCII 127 which is delete). The standard keyboard has about 48 character keys, which with the shift key expands this to 96. However this still leaves the hacker with 4.6 x 10^37 options, and that is assuming he knows the length of the password. I would further point out that by demanding a password MUST have (as opposed to may have) uppercase, lowercase, numeric and special characters (ULNS from now) you are actually reducing the number of possible permutations and so potentially making the password weaker.

    Most password checkers I have seen require 8 (or more) characters made up of three out of four of ULNS and categorise random collections of these as strong. I suspect the instance you are describing is one where the check for strength has a mistake in the algorithm. Are you able to say what the application was (though of course I would fully understand if you decline to say on a public forum).

Children
No Data

Join us to get the best from IET EngX.

Joining EngX lets you personalise your experience so you stay up to date on the topics that interest you, plus you’ll be able to make connections who are looking to collaborate, exchange ideas and more.

Join us Not now

Community Rules & Guidelines