Why is a password with both numbers and letters stronger than one with only letters? Attackers will include numbers in their brute force attempts anyway, so how does it make a difference?
In: Technology
Let’s try this simplified.
I’m thinking of a letter. You can try once per second to guess the letter. On average, it’s going to take you 13 seconds to guess the letter.
Now, I’m thinking of a string of letters that’s 6 characters long. That’s 154,000,000 seconds, or about five years. Wildly impressive!
Except… I need to remember the string, and so I’m likely to pick a six-letter word. Well, that’s an average of about 25,000 options. You’d be likely to get the right word in about six hours if you decided to guess words.
So now you have to add a number. And that makes things interesting. It could be five digits and one letter, and the letter can be anywhere in the string. It could be a five-letter word with a number at the beginning, or the end, or the middle, or swapped for a letter. It could be a 3- or 4-letter word.
And so brute forcing can’t easily assume just real words. With 36 options per character slot, out would take you 31 years on average to guess correctly.
Latest Answers