[removed]

If there are no rules on what is in a password many people may set their password to “password”. Now other than that being stupid, if I know there are no rules to make them use numbers, uppercase and special characters, the number of possibilities is much smaller. So in this scenario, the biggest possible combinations for an 8 character password is 26^8. If you throw in upper case, it becomes 52^8. Numbers take it to 62^8 and lets say 8 special characters makes it 70^8. At 26^8 passwords to try, that is about 206 billion combinations. For 70^8 that goes to 576 trillion passwords that you’d have to try.

The important part is having strong rules in place that at least allow for all characters and to treat them as the upper / lowercase that they are. Don’t automatically convert the password to uppercase and use that because you just ruined the requirement for mixed case.

Attackers don’t need to know that. Any reasonable brute force attack will use multiple approaches, often in ascending order of complexity. For example:

Step 1: Only 4 digit numbers

Step 2: Only 6 digit numbers

Step 3: All numbers combinations that look like dates

Step 4: Only lower case letters

…

Step 17: All possible combinations of letters, numbers and symbols

–

EDIT: Since the question keeps popping up; Why are attackers allowed unlimited tries, when the website or app or whatever usually locks you out after a certain number of attempts?

First of all, a short summary of how passwords are actually used:

When you create your account and enter a password, some fancy math is done on that password which results in a really big number. This big number is then stored in the database along with your username, like this:

AquaRegia: 54156138456156047798
SomeOtherGuy: 13259746130447797411
…

When you try to login, you enter your username and password. The same fancy math is used on the password you just entered, and the result is compared to the number that’s stored in the database. If it matches, you’re in!

Brute-forcing passwords is almost never done against the actual platform. Instead what happens is that the database of a website/app/etc. gets hacked, and someone manages to get a hold of this list of username + number pairs. Then without actually having to use the website/app/etc. they can just run the same fancy math on all possible passwords, and compare the results to the numbers from the database.

it’s a somewhat historical thing. in the past users had actual dictionary words as passwords, this was an attempt to change them a little so that attackers couldn’t easily guess them by using a dictionary. in practice almost everyone changed their password the same way (by appending a ! or a 1 or something similar) so the benefit is somewhat questionable.

in 2023 i would just enforce really long passwords (16+ characters) with no complexity rules.

It’s stronger because it forces them start with a larger dataset to narrow down from.

That said, the easiest way to make a password stronger is length, not complexity.

This is a good explanation: https://xkcd.com/936/

(KXCD Password Strength; correcthorsebatterystaple)

Edit: for more details, try this… https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

[removed]

The attackers know some people just use letters – so they decide to attack everyone just using letters. Now those who use numbers are safe from these guys, but the ones who just use letters are more likely to now be hacked.

By targeting those with simpler passwords, they won’t get everyone and that’s ok – but they will get enough. Don’t let it be you.

If I had a fridge full of fruit and I asked you to give me an orange, how long do you think it would take you?

3 seconds? 10 seconds? Maybe so long you just give up?

Brute force attacks are simply a matter of time, and often times systems have defenses in place to simply lockdown after so many attempts requiring the system to be unlocked.

Password entropy is effectively the chance that at any given moment your password will be guessed.

In the event of the orange that’s effectively a one character password that’s only lowercase.

The length matters more than the characters, but the mixing of characters does reduce the chance your password will be selected because the available options are much much larger.

As an example if my fridge was full of oranges, you would be very quick to pick one for me.

However if the fridge was full of a variety of oranges and I wanted a blood orange; you now have to dig around and find one for me.

This is what numbers & special characters do, they make it more unique.

This doesn’t always mean a better password though; mostly because humans are predictable.

For instance, my fridge might be full of oranges but I sorted them; so the blood oranges are all in the same spot.

Websites will often advertise their password requirements so hackers will just not attempt passwords that don’t conform. In short the added complexity is now largely gone.

Hackers don’t also just guess entirely randomly; they have tables of passwords and password hashes that they use, they sort/filter/etc. them and run those against a target.

Brute forcing is often a last ditch effort sorta situation; often times your password is just leaked and that’s how you are hacked or a security vulnerability in a system allows them access to data.

People are mentioning brute force attacks but missing a crucial detail.

The website you make the password for has to store something so they can check the password. Usually it is “hashed” and-or “salted” which is just silly words that mean some math is done on your password to make a big number that makes it extremely hard to guess what your password *was* based on the number. So when you put your password in, the site does that math on your attempt and checks if it gets the same number.

Attackers often steal entire databases of user information, which means they get the usernames AND the “hashed” passwords. That means they don’t yet have your password, because they have to find something that results in the same hash as your password.

But.

This has been happening for a long time. So patient people have spent the time trying EVERY 4-letter password and storing the hash that produces. And EVERY 5-letter password. That takes a lot of space. Some 6-letter password variants take Terabytes of storage and took years to generate. The problem is they exist.

So while it took years to make that 5-letter password set, now that it exists if you have a 5-letter password it takes less than a second for that person to find your hash in the data set and now they know your password. Oops.

So any time someone steals a database like that, they use those tables to try and get as many passwords out of it as possible.

The set of all passwords with just numbers is a lot smaller than all passwords with letters and numbers. And THAT is even smaller than the set of all passwords with capital letters, lowercase letters, and numbers. Not to mention for each character that gets added to the length, someone has to spend more time making the table AND it takes up more space for them to keep it.

At this point 5-character passwords are busted pretty much no matter what they contain. I think maybe 6-character passwords are too. Even 8-character passwords are pretty well-covered by easy-to-get tables. It’s only when you get to about 10 letters and up that we’re still pretty sure it’ll be maybe 10 years before tables appear. The scary thing is a few years ago we thought it’d be 50 years, and before that we thought it’d be 100 years. Computers just keep getting faster and people are doing that work even if it takes a long time.

So it’s not just about brute force. It’s about a mathematical game of cat and mouse where the more time passes, the more likely someone out there can break ANY password of a certain length in seconds. The more kinds of characters are in your password, the less likely they’ve already started work on a table for yours.

[removed]