why is a password that uses numbers and letters stronger than one with only letters? the attackers don’t know that you didn’t use numbers, so they must include numbers in their brute force either way.
In: 7568
This is actually not true and only a theoretical advantage that doesn’t exist in the real world.
The national IT guideline agencies have in recent years noticed it as well and decided that the new guidelines no longer require all the different types of character and only that the password is long.
To see why, we have to look at different ways passwords are attacked:
1. An attacker gets to know a password for some reason. The old guideline was that passwords need the be changed regularly to combat this. In reality the users are lazy and will simply increment a number at the end of a password. If the leaked password is Password!22 then any attacker would also try Password!23. So regular password changes offer no advantage. Even worse if it is known that the passwords need to be changed, then the real strong part of the Password might be shorter as the number at the end is worthless essentially.
2. An attacker has access to a dumped password database. Here the security of the passwords mostly depends on how the passwords are stored. In the past many websites made the mistake of storing the passwords as plaintext. In that case the passwords are visible and the characters used in the password don’t matter. I skip the interim solutions (hashed or hashed and salted) and go to current best practice. Nowadays passwords are stored with one way encryption methods that are designed to be slow for a computer to calculate, with the server owner deciding how slow the process is. Even bad passwords can be very secure. And in general brute force algorithms with start with short passwords and go longer and longer. So if the attacker expects some numbers or special characters then a password with 9 lowercase letters would get tried later than an 8 character password made from all character types
3. An attacker tries to brute force passwords via current service they try to enter. Here the best defense against such an attack is limiting the rate at which the attacker can try passwords. If the attacker can only try 10 passwords per 30 minutes, then it is essentially inconsequential how strong the passwords are.
The only real measure of password strength that has been observed by the IT industry is length, everything else doesn’t seem to matter.
On a personal note you can experience it yourself with a mobile phone. Your goal is to create a strong password.
Try the following:
* A 16 character long password all lowercase letters. You will notice it is easy to type in, pretty much exactly 16 key presses.
* A 8 character long password with lower and uppercase letters, numbers and special characters. Very likely you will switch between the different available keys on your screen a few times. How many keys did you need to press? 12, maybe 16, maybe even more if you decided to include really special characters. Quite the effort for a “short” password.
So in short, long passwords are secure. Numbers and special characters are not.
Most people aren’t going to “true” brute force your email or Twitter password. It’s simply not worth it. A true brute force is reserved for long strings of alphanumeric bullshit.
However, they *can* brute force your account using a dictionary or rainbow attack. A dictionary attack uses common known passwords or password parts that it recombines. Every dictionary attack starts with something like this.
* password
* Password
* Password!
* Password1
* P@ssword
* P@ssW0rd!!
Forcing your password to include numbers and symbols (and also to block common passwords) simply makes it harder to bruteforce with a dictionary attack.
Latest Answers