William H.

asked • 03/17/18

Password security

Assume a password 2 characters in length. The bank of characters available consists of capital letters, lower case letters, 10 punctuation symbols, and 10 numbers: a total of 72 choices for each character. Absent rules, this produces 5128 possible passwords. The 2 characters are mutually independent. Neither influences nor is influenced by the other.

A rule-maker arrives who says "one of the characters must be a number", leaving 72 choices for one character and 10 choices for the other. There are now 720 possible passwords--one seventh the number possible before the rule.

Imposing rules like "at least one character must be a capital letter," or lower-case letter, or symbol, or number, or a combination devastates the number of possible passwords. Yet the rule-maker must surely think he is making the password stronger. What am I missing?

2 Answers By Expert Tutors

By:

David W. answered • 03/17/18

Tutor
4.7 (90)

Experienced Prof

See tutors like this
See tutors like this
First, 72*72 = 5184.  This is the number of possibilities, since "The 2 characters are mutually independent. Neither influences nor is influenced by the other."
 
Second, the Rule-maker would certainly require a minimum password length.  As an absurd example, if the Rule-maker said that a password must be one character and that a Capital Letter must be used, then, as you reason, this limits the number of possible passwords.  It does not result in a stronger password.
 
Third, a typical user selects actual words, abbreviations, or recognizable sequences as passwords.  They do not select totally random sequences of the character choices.  The password used most often is "Password."  Birthdates, anniversaries, and pet names are also common.  For example, a password-cracker program has determined that the password looks like:  "Comput??"  What do you suppose are the other characters?  Since they are not likely symbols or numbers or capital letters, such rules actually do make passwords stronger by requiring them. [note: "Comput3$" is actually stronger and is also memorable, since the 3 and $ are above the e and r.]
 
The Rule-maker has made passwords "stronger" by not allowing them to be super-simple.
 
Upvote 0 Downvote
More
Report

Allen T. answered • 03/17/18

Tutor
5.0 (458)

Berkeley and Stanford Grad Here to Help You Succeed

See tutors like this
See tutors like this
You are generally correct. However, the point of these rules is to increase the password possibilities of someone who isn't using all of the available characters. In your scenario, there are some people who may only be using passwords with lowercase letters. So the number of guesses needed is 26*26 = 676.
 
By requiring at least 1 capital letter, then the sample space grows to 52*52 (both upper and lower case letters are available) - 26*26 (can't both be upper case) = 2028 possible passwords.
 
A good password generator should easily meet these simple rules such as 1 capital letter and at least 1 number. If not, then a brute force attack using only lower case letters has an easier time guessing the password.
Upvote 0 Downvote
More
Report

Still looking for help? Get the right answer, fast.

Ask a question for free

Get a free answer to a quick problem.
Most questions answered within 4 hours.

OR

Find an Online Tutor Now

Choose an expert and meet online. No packages or subscriptions, pay only for the time you need.