why is a password that uses numbers and letters stronger than one with only letters? the attackers don’t know that you didn’t use numbers, so they must include numbers in their brute force either way.
In: 7568
People are mentioning brute force attacks but missing a crucial detail.
The website you make the password for has to store something so they can check the password. Usually it is “hashed” and-or “salted” which is just silly words that mean some math is done on your password to make a big number that makes it extremely hard to guess what your password *was* based on the number. So when you put your password in, the site does that math on your attempt and checks if it gets the same number.
Attackers often steal entire databases of user information, which means they get the usernames AND the “hashed” passwords. That means they don’t yet have your password, because they have to find something that results in the same hash as your password.
But.
This has been happening for a long time. So patient people have spent the time trying EVERY 4-letter password and storing the hash that produces. And EVERY 5-letter password. That takes a lot of space. Some 6-letter password variants take Terabytes of storage and took years to generate. The problem is they exist.
So while it took years to make that 5-letter password set, now that it exists if you have a 5-letter password it takes less than a second for that person to find your hash in the data set and now they know your password. Oops.
So any time someone steals a database like that, they use those tables to try and get as many passwords out of it as possible.
The set of all passwords with just numbers is a lot smaller than all passwords with letters and numbers. And THAT is even smaller than the set of all passwords with capital letters, lowercase letters, and numbers. Not to mention for each character that gets added to the length, someone has to spend more time making the table AND it takes up more space for them to keep it.
At this point 5-character passwords are busted pretty much no matter what they contain. I think maybe 6-character passwords are too. Even 8-character passwords are pretty well-covered by easy-to-get tables. It’s only when you get to about 10 letters and up that we’re still pretty sure it’ll be maybe 10 years before tables appear. The scary thing is a few years ago we thought it’d be 50 years, and before that we thought it’d be 100 years. Computers just keep getting faster and people are doing that work even if it takes a long time.
So it’s not just about brute force. It’s about a mathematical game of cat and mouse where the more time passes, the more likely someone out there can break ANY password of a certain length in seconds. The more kinds of characters are in your password, the less likely they’ve already started work on a table for yours.
Latest Answers