good/bad passwords question

How much more secure, mathematically, is a 6 digit password than a 4
digit, an 8 digit than a 4 digit, etc.? I mean, if a site says I can make
up a password of 4-10 characters, I am wondering if going beyond the 4
chars to 5,6,7,8,9,10 makes the password more secure in a linear or
exponential manner. I am finally learning to take passwords seriously,
making stronger, more randon, non-dictionary passwords. Just curious about
the mathematical relationship between password length and strength.

Proteus a écrit :
> How much more secure, mathematically, is a 6 digit password than a 4
> digit, an 8 digit than a 4 digit, etc.? I mean, if a site says I can make
> up a password of 4-10 characters, I am wondering if going beyond the 4
> chars to 5,6,7,8,9,10 makes the password more secure in a linear or
> exponential manner. I am finally learning to take passwords seriously,
> making stronger, more randon, non-dictionary passwords. Just curious about
> the mathematical relationship between password length and strength.

Hello,

in this case, security is exponential because the number of combination
is given by :

(lets say everytime is 26 possibilities because a,b,c...x,y,z)

number of chars : 4 => 26 x 26 x 26 x 26 => 26^4
number of chars : 5 => 26 x 26 x 26 x 26 x 26 => 26^5
number of chars : 6 => 26 x 26 x 26 x 26 x 26 x 26 => 26^6
number of chars : 7 => 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^7
number of chars : 8 => 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^8
....

In this example, for each position there's 26 possibilities (but don't
forget numbers, space, signs...), so if you decide to have one position
more, the number of combination is the same than before x 26

Bye
Gary

Proteus <proteus@uselessemail.net> writes:

>How much more secure, mathematically, is a 6 digit password than a 4

Security is not a mathematical question. the mathematical question is " How
may passwords are there with 6 digits rather than 4). However it is very
easy to make a 6 digit password far less secure than a 4 digit one.

If by digit, youmean the numbers 0-9, then 10^n is the number of numbers
with n digits. If by digit you mean character, then it is something like
96^n, if you allow any (printable) character.

>digit, an 8 digit than a 4 digit, etc.? I mean, if a site says I can make
>up a password of 4-10 characters, I am wondering if going beyond the 4
>chars to 5,6,7,8,9,10 makes the password more secure in a linear or
>exponential manner. I am finally learning to take passwords seriously,

The number of possible passwords increases exponentially. However, unless
you choose your password at random from all possibilities (almost noone
ever does) that is largely irrelevant. What is relevant is the space from
which you pick your actual password. If it is words in a dictionary, then
there are about an equal number ( not very large number) or 4 and 6
character words.


>making stronger, more randon, non-dictionary passwords. Just curious about
>the mathematical relationship between password length and strength.

Only a weak relationship between length and strength.
Far stronger relationship between how the password is chosen and strength.

On Tue, 22 Nov 2005 13:42:57 +0100, Gary wrote:

> Proteus a écrit :
>> How much more secure, mathematically, is a 6 digit password than a 4
>> digit, an 8 digit than a 4 digit, etc.? I mean, if a site says I can make
>> up a password of 4-10 characters, I am wondering if going beyond the 4
>> chars to 5,6,7,8,9,10 makes the password more secure in a linear or
>> exponential manner. I am finally learning to take passwords seriously,
>> making stronger, more randon, non-dictionary passwords. Just curious about
>> the mathematical relationship between password length and strength.
>
> Hello,
>
> in this case, security is exponential because the number of combination
> is given by :
>
> (lets say everytime is 26 possibilities because a,b,c...x,y,z)
>
> number of chars : 4 => 26 x 26 x 26 x 26 => 26^4
> number of chars : 5 => 26 x 26 x 26 x 26 x 26 => 26^5
> number of chars : 6 => 26 x 26 x 26 x 26 x 26 x 26 => 26^6
> number of chars : 7 => 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^7
> number of chars : 8 => 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^8
> ...
>
> In this example, for each position there's 26 possibilities (but don't
> forget numbers, space, signs...), so if you decide to have one position
> more, the number of combination is the same than before x 26
>
> Bye
> Gary

(I know this might pertain more to security in general, but since I use
Linux, this seems a somewhat appropriate forum, but I apologize if not)
Ok thank you Gary and Unruh.

So if I choose a password with somewhat RANDOM digits and letters, say 10
chars in length, that should be almost unbreakable? I do recall hearing
on a podcast recently that even with WEP etc if dictionary words are
chosen the security becomes pretty poor since dictionary attacks are the
main mode of nefarious malware and crackers. So I am choosing a sort of
hybrid, like instead of a password like
EatChocolate
I might make that
3@+cH0c01@+3 (those are zeros not the letter O)
Now I also try to incorporate numbers into the original password
(substituting 3 for e, 1 for L, zero for the letter O, etc), but I hope I
am onto the right idea for making a strong password-- a combination of
digits and characters including upper/lower combo.

I am thinking it is better to have long, more random passwords like that
above that I write down on cards and keep in an out of sight place in my
house, rather than use simple dictionary based passwords that I do not
need to write down.

On Tue, 22 Nov 2005 10:25:49 -0600, Proteus wrote:
...
> So if I choose a password with somewhat RANDOM digits and letters, say 10
> chars in length, that should be almost unbreakable? I do recall hearing
> on a podcast recently that even with WEP etc if dictionary words are
> chosen the security becomes pretty poor since dictionary attacks are the
> main mode of nefarious malware and crackers. So I am choosing a sort of
> hybrid, like instead of a password like
> EatChocolate
> I might make that
> 3@+cH0c01@+3 (those are zeros not the letter O)
....

I should add would it probably be even better than the above, to convert a
long remberable phrase to symbols and letters? e.g.
Eat chocolate at least five times a day for good health!
becomes => 3c@15x@d4gh

On 22 Nov 2005 in the Usenet newsgroup comp.os.linux.security, in article
<dlve8n$1tp$1@nntp.itservices.ubc.ca>, Unruh wrote:

>The number of possible passwords increases exponentially. However, unless
>you choose your password at random from all possibilities (almost noone
>ever does) that is largely irrelevant. What is relevant is the space from
>which you pick your actual password.

Agreed.

>If it is words in a dictionary, then there are about an equal number
>( not very large number) or 4 and 6 character words.

I dunno - that really depends on the dictionary used. From the
'linuxwords' dictionary, I see

[compton ~]$ grep -c '^....$' /usr/share/dict/words
2236
[compton ~]$ grep -c '^......$' /usr/share/dict/words
6176
[compton ~]$ echo '6176/2236' | bc -l
2.76207513416815742397
[compton ~]$

If I use the 'Websters2' dictionary, I see

[compton ~]$ grep -c '^....$' /usr/share/dict/web2
5272
[compton ~]$ grep -c '^......$' /usr/share/dict/web2
17705
[compton ~]$ echo '17705/5272' | bc -l
3.35830804248861911987
[compton ~]$

>Only a weak relationship between length and strength.

That assumes the attacker knows that your password is N characters long
(which they might be able to see while you type it in - and no, my
password is not '*********'). Most dictionaries are arranged alphabetically
rather than by number of characters, so without that clue, the attacker
would still have to brute-force through all the words until they found the
magic word and that can be a huge search. On the other hand, if they know
that the password is only one character, there's only (in theory) 127
possibilities (but I've yet to see anyone use ^C or ^U as a password).

>Far stronger relationship between how the password is chosen and strength.

Absolutely. Do a google search for the 'deloder' worm that tried just 50
(initially) to 87 (later in life) passwords to crack in to the windoze
administrator accounts in mid-2003. Passwords like "1234", "abcd", or
"pass" opened a HUGE number of boxes.

Old guy

On Tue, 22 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2005.11.22.16.43.58.836734@uselessemail.net >, Proteus wrote:

>On Tue, 22 Nov 2005 10:25:49 -0600, Proteus wrote:
>
>> So if I choose a password with somewhat RANDOM digits and letters, say
>> 10 chars in length, that should be almost unbreakable?

Nothing is perfect, but that's almost there.

>> So I am choosing a sort of hybrid, like instead of a password like
>> EatChocolate
>> I might make that
>> 3@+cH0c01@+3 (those are zeros not the letter O)

The problem then becomes "how do I remember this mess"?

In that same article you added:

>> Now I also try to incorporate numbers into the original password
>> (substituting 3 for e, 1 for L, zero for the letter O, etc)

That's called 'l33t sp34k' and while it MAY help, it's not much.

> I should add would it probably be even better than the above, to convert a
> long remberable phrase to symbols and letters? e.g.

DING, DING, DING, we have a winner here!

> Eat chocolate at least five times a day for good health!
> becomes => 3c@15x@d4gh

My dietitian would disagree with that - but that is a very good way to
set up a password. You can make it harder by using the second character
of each word in the phrase - but why quibble. What you are looking
for (and found) is an easy way to remember a complex character string,
and this is certainly a good example. Just remember to not make it to
hard to type - you still have to do that too.

Old guy

ibuprofin@painkiller.example.tld (Moe Trin) writes:

>On 22 Nov 2005 in the Usenet newsgroup comp.os.linux.security, in article
><dlve8n$1tp$1@nntp.itservices.ubc.ca>, Unruh wrote:

>>The number of possible passwords increases exponentially. However, unless
>>you choose your password at random from all possibilities (almost noone
>>ever does) that is largely irrelevant. What is relevant is the space from
>>which you pick your actual password.

>Agreed.

>>If it is words in a dictionary, then there are about an equal number
>>( not very large number) or 4 and 6 character words.

>I dunno - that really depends on the dictionary used. From the
>'linuxwords' dictionary, I see

A factor of 3 is "about equal" since the naive estimate would give a factor
of 25^2= 600 difference. Ie, increasing from 4 to 6 and picking from a
dictionary makes almost no difference in the time required to break the
password. ( and again a factor of 3 is almost no difference).



>[compton ~]$ grep -c '^....$' /usr/share/dict/words
>2236
>[compton ~]$ grep -c '^......$' /usr/share/dict/words
>6176
>[compton ~]$ echo '6176/2236' | bc -l
>2.76207513416815742397
>[compton ~]$

>If I use the 'Websters2' dictionary, I see

>[compton ~]$ grep -c '^....$' /usr/share/dict/web2
>5272
>[compton ~]$ grep -c '^......$' /usr/share/dict/web2
>17705
>[compton ~]$ echo '17705/5272' | bc -l
>3.35830804248861911987
>[compton ~]$

>>Only a weak relationship between length and strength.

>That assumes the attacker knows that your password is N characters long
>(which they might be able to see while you type it in - and no, my
>password is not '*********'). Most dictionaries are arranged alphabetically
>rather than by number of characters, so without that clue, the attacker
>would still have to brute-force through all the words until they found the
>magic word and that can be a huge search. On the other hand, if they know

No it is NOT a huge search. The total number of words of 6 or fewer letters
is only about 2 times the number of words of length 6. say about 40000
words in my 300000 word dictionary. That is trivial to search through, not by hand of course but by
computer.

>that the password is only one character, there's only (in theory) 127
>possibilities (but I've yet to see anyone use ^C or ^U as a password).

>>Far stronger relationship between how the password is chosen and strength.

>Absolutely. Do a google search for the 'deloder' worm that tried just 50
>(initially) to 87 (later in life) passwords to crack in to the windoze
>administrator accounts in mid-2003. Passwords like "1234", "abcd", or
>"pass" opened a HUGE number of boxes.

> Old guy

On Thu, 24 Nov 2005 01:31:49 +0000, Unruh wrote:
...
> No it is NOT a huge search. The total number of words of 6 or fewer letters
> is only about 2 times the number of words of length 6. say about 40000
> words in my 300000 word dictionary. That is trivial to search through, not by hand of course but by
> computer.
> ..

Amazing, it nows seems not strange at all that so many people have their
systems hacked (cracked) into, given that lots of people likely just use
dictionary words or combinations of dict words.

On Wed, 23 Nov 2005 13:54:30 -0600, Moe Trin wrote:


>
> The problem then becomes "how do I remember this mess"?
>

Just a suggestion - check out "apg". It's a program that generates
pronouncable passwords made up of selections from the different character
possibilities. It is configurable in many ways and uses input from the
user to generate a random seed. The latter makes it pretty hard to
generate the same list twice.

eg

Raj3 (Raj-Three)
Lib1 (Lib-ONE)
Byn0 (Byn-Zero)
....

You can combine 2 or more of these into a password that is pretty good and
also easy to remember.

Raj3Lib1Byn0

Or separate the pronouncable components with punctuation characters for
more complexity.

Raj1.Lib1,Byn0?