#### Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

•  Subject
• Author
• Posted on
How much more secure, mathematically, is a 6 digit password than a 4
digit, an 8 digit than a 4 digit, etc.? I mean, if a site says I can make
up a password of 4-10 characters, I am wondering if going beyond the 4
chars to 5,6,7,8,9,10 makes the password more secure in a linear or
exponential manner.  I am finally learning to take passwords seriously,
making stronger, more randon, non-dictionary passwords. Just curious about
the mathematical relationship between password length and strength.

Proteus a écrit :

Hello,

in this case, security is exponential because the number of combination
is given by :

(lets say everytime is 26 possibilities because a,b,c...x,y,z)

number of chars : 4 => 26 x 26 x 26 x 26 => 26^4
number of chars : 5 => 26 x 26 x 26 x 26 x 26 => 26^5
number of chars : 6 => 26 x 26 x 26 x 26 x 26 x 26 => 26^6
number of chars : 7 => 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^7
number of chars : 8 => 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 => 26^8
...

In this example, for each position there's 26 possibilities (but don't
forget numbers, space, signs...), so if you decide to have one position
more, the number of combination is the same than before x 26

Bye
Gary

On Tue, 22 Nov 2005 13:42:57 +0100, Gary wrote:

(I know this might pertain more to security in general, but since I use
Linux, this seems a somewhat appropriate forum, but I apologize if not)
Ok thank you Gary and Unruh.

So if I choose a password with somewhat RANDOM digits and letters, say 10
chars in length, that should be almost unbreakable?  I do recall hearing
on a podcast recently that even with WEP etc if dictionary words are
chosen the security becomes pretty poor since dictionary attacks are the
main mode of nefarious malware and crackers. So I am choosing a sort of
hybrid, like instead of a password like
EatChocolate
I might make that
3@+cH0c01@+3  (those are zeros not the letter O)
Now I also try to incorporate numbers into the original password
(substituting 3 for e, 1 for L, zero for the letter O, etc), but I hope I
am onto the right idea for making a strong password-- a combination of
digits and characters including upper/lower combo.

I am thinking it is better to have long, more random passwords like that
above that I write down on cards and keep in an out of sight place in my
house, rather than use simple dictionary based passwords that I do not
need to write down.

On Tue, 22 Nov 2005 10:25:49 -0600, Proteus wrote:
..

...

I should add would it probably be even better than the above, to convert a
long remberable phrase to symbols and letters? e.g.
Eat chocolate at least five times a day for good health!
becomes => 3c@15x@d4gh

On Tue, 22 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article

Nothing is perfect, but that's almost there.

The problem then becomes "how do I remember this mess"?

In that same article you added:

That's called 'l33t sp34k' and while it MAY help, it's not much.

DING, DING, DING, we have a winner here!

My dietitian would disagree with that - but that is a very good way to
set up a password. You can make it harder by using the second character
of each word in the phrase - but why quibble.   What you are looking
for (and found) is an easy way to remember a complex character string,
and this is certainly a good example. Just remember to not make it to
hard to type - you still have to do that too.

Old guy

On Wed, 23 Nov 2005 13:54:30 -0600, Moe Trin wrote:

Just a suggestion - check out "apg".  It's a program that generates
pronouncable passwords made up of selections from the different character
possibilities.  It is configurable in many ways and uses input from the
user to generate a random seed.  The latter makes it pretty hard to
generate the same list twice.

eg

Raj3 (Raj-Three)
Lib1 (Lib-ONE)
Byn0 (Byn-Zero)
...

You can combine 2 or more of these into a password that is pretty good and
also easy to remember.

Raj3Lib1Byn0

Or separate the pronouncable components with punctuation characters for
more complexity.

Raj1.Lib1,Byn0?

On Thu, 24 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article

First hit at google for the words 'apg password generator' turns it up.
Doesn't look as if it's being actively developed (last release appears
to be September 2003), but I suspect that there isn't that much more
that can be developed.   If you are really hard-nosed about password
security, there might be a minor disadvantage of the regularity of the
construct of a pronounceable word (often, alternating consonant - vowel
pattern), but the whole idea here is that this type of tool significantly
increases the range of "usable" words.

which has always been a good method even with dictionary words

Even better - again, some password monitoring tools such as the module
included in PAM can be set to require mixed case, a digit or two, and
punctuation, in addition to a minimum length.

Old guy

Security is not a mathematical question. the mathematical question is " How
may passwords are there with 6 digits rather than 4). However it is very
easy to make a 6 digit password far less secure than a 4 digit one.

If by digit, youmean the numbers 0-9, then 10^n is the number of numbers
with n digits. If by digit you mean character, then it is something like
96^n, if you allow any (printable) character.

The number of possible passwords increases exponentially. However, unless
you choose your password at random from all possibilities (almost noone
ever does) that is largely irrelevant. What is relevant is the space from
which you pick your actual password. If it is words in a dictionary, then
there are about an equal number ( not very large number) or 4 and 6
character words.

Only a weak relationship between length and strength.
Far stronger relationship between how the password is chosen and strength.

On 22 Nov 2005 in the Usenet newsgroup comp.os.linux.security, in article

Agreed.

I dunno - that really depends on the dictionary used. From the
'linuxwords' dictionary, I see

[compton ~]\$ grep -c '^....\$' /usr/share/dict/words
2236
[compton ~]\$ grep -c '^......\$' /usr/share/dict/words
6176
[compton ~]\$ echo '6176/2236' | bc -l
2.76207513416815742397
[compton ~]\$

If I use the 'Websters2' dictionary, I see

[compton ~]\$ grep -c '^....\$' /usr/share/dict/web2
5272
[compton ~]\$ grep -c '^......\$' /usr/share/dict/web2
17705
[compton ~]\$ echo '17705/5272' | bc -l
3.35830804248861911987
[compton ~]\$

That assumes the attacker knows that your password is N characters long
(which they might be able to see while you type it in - and no, my
password is not '*********').  Most dictionaries are arranged alphabetically
rather than by number of characters, so without that clue, the attacker
would still have to brute-force through all the words until they found the
magic word and that can be a huge search.  On the other hand, if they know
that the password is only one character, there's only (in theory) 127
possibilities (but I've yet to see anyone use ^C or ^U as a password).

Absolutely.  Do a google search for the 'deloder' worm that tried just 50
(initially) to 87 (later in life) passwords to crack in to the windoze
administrator accounts in mid-2003. Passwords like "1234", "abcd", or
"pass" opened a HUGE number of boxes.

Old guy

ibuprofin@painkiller.example.tld (Moe Trin) writes:

A factor of 3 is "about equal" since the naive estimate would give a factor
of 25^2= 600 difference. Ie, increasing from 4 to 6 and picking from a
dictionary makes almost no difference in the time required to break the
password. ( and again a factor of 3 is almost no difference).

No it is NOT a huge search. The total number of words of 6 or fewer letters
is only about 2 times the number of words of length 6. say about 40000
words in my 300000 word dictionary. That is trivial to search through, not by
hand of course but by
computer.

On Thu, 24 Nov 2005 01:31:49 +0000, Unruh wrote:
..

Amazing, it nows seems not strange at all that so many people have their
systems hacked (cracked) into, given that lots of people likely just use
dictionary words or combinations of dict words.

Thinking aloud: Such an attack can only work if the system is open

--
========================================================================

"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
========================================================================

On 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article

Basically correct - but this also deals with situations where the
attacker has access to the keyboard.  In MOST cases, if the attacker
can reboot the system, all bets are off ("Physical Access beats five
aces _every_time_), but many systems default to a configuration where
entering multiple bad passwords for a specific user in a set amount of
time (or some similar circumstance) results in the system delaying
response (maybe taking 10 seconds to return that "Login incorrect"
message). But I've seen anonymous FTP servers kick into a delay mode
when the user screws up entering the username and password.

Old guy

On Thu, 24 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article

Most of the distributions I've used in the past ten years had some form of
password Nazi, sometimes a special passwd application, sometimes just a
plugin to PAM, that restricted what a user could have as a password. Do a
'grep' for 'passwd' in the LSM file at a sunsite mirror, and you'd find a
number of them, such as

Begin3
Title:          npasswd_boulder+l-src
Version:        N/A
Entered-date:   May 1, 1995
Description:    A replacement passwd(8) program with reasonably strict
checking of user passwords for added security against
dictionary attacks. Source package. Only minor changes
from the original source were necessary for Linux.