Let’s do a quick example or two. For this we’ll assume all passwords are between 8 and 64 characters long.
Imagine the extremes:
– A password that can only have the capital letter “A” in it.
How many combinations does an attacker need to try? Easy to figure out.
8 characters long: AAAAAAAA
9 characters long: AAAAAAAAA
10 characters long: AAAAAAAAAA
and so on, until they reach the right password. If the right password is the one with 64 “A”s, then they’re trying (64 – 8 + 1 = 57) passwords. (the + 1 is because the 8 character long password is not excluded from the group.)
It’s trivially easy to check 57 passwords as an attack.
– Let’s jump up to a password that can have either an “A” or a “B” in each spot.
Now how many combinations does an attacker need to try?
8 characters long: AAAAAAAA, or AAAAAAAB, or AAAAAABA, or AAAAAABB, or AAAAABAA, or AAAAABAB, or AAAAABBA, or AAAAABBB, or AAAABAAA, etc….
As we can see here, even just an 8 character long password has way more combinations of possibilities. This isn’t even taking into account 9 character long passwords, or 10 character long passwords, or all the rest of the lengths.
Simply adding one more possible character in each spot drastically increases the possible passwords that have to be checked.
– A password that is one character long, but can be one of infinite characters (pretend we have infinite different letters/numbers/emojis/whatever that can be used).
The password only has one character in it! But… there are infinite possibilities. On average, the number of characters that has to be checked to find the right one is… infinite. (technically closer to infinity / 2, which, you guessed it, is still infinite.)
This also showcases that having more possible characters to choose from makes it drastically harder to guess the right password, no matter the length. Therefore, adding more choices of things that can make up a password makes it harder for an attacker to guess the password.
Latest Answers