Log In / Register

Words Are Better Than Random Characters

A White Paper by Andrew Hughes

For years we've heard that a long password is a strong password. That we need to include upper and lower case letters, and numbers, and special characters. This paper will prove that doing that doesn't make your passwords as strong as you think. And that it is in fact better to use a string of random words for your password.

There are some basic presumptions made throughout this document, and some detailed information in the appendix which support those presumption.

First is the understanding of a brute-force attack, what it is, and how it's done.

Why it's better to use words for a password than use random characters

Why use random words for my keys (passwords)?

For years we've been told to use random characters for a password, including special characters, numbers and upper and lowercase letters. And while it's true that this will require a brute-force attack, the length of these passwords is significantly longer than the average person is able to memorise.

Using a few words, however, is easier to rememeber, and can also require a brute-force attack. So it's easier and safer to use a few random words than to use a very long random password.

Random Passwords

Using random passwords of sufficient length will require an attacker to use a brute-force approach to determine the password (there are circumstances where this is not true, TBD).

The question is, how long will it take to "break" passwords of different lengths?

The English language has 26 alphabetical characters (the numbers change for other languages, but the concept is the same). If we include upper and lower case, we have 52 possible letters. There are 10 numbers, that takes us up to 62 possible characters. And if we include a few special characters, like plus (+), minus (-), underscore (_), exclamation point (!), star (*), caret (^), bar (|) and tile (~), we end up with 70 characters. (some special characters are not allowed on some sites, but the real reason I've listed these is that it's a round number, 70)

If the password is one character long, then there are 70 possible passwords. If the password is 2 characters long, then there are 70 possible characters in position 1 and 70 in position 2. That means there are 70 * 70 possible passwords of length 2. Similarly, there are 70 * 70 * 70 possible passwords of length 3.

For a password of length 8, there are 70^8 possible passwords (70 times itself 8 times). Which is 576,480,100,000,000 possible passwords. Computers today can process things very fast, up to 1x10^12 times per second. That means that it would take about 576.5 seconds to test all of the possible combinations of an 8-character password, less than 10 minutes.

By making the password longer, we increase the time required to break it. A 10 character password for example, takes 33 days, and 12 characters require 438 years, and 14 characters requires 2 million years.

Unfortunately, computers are getting faster every day, the fastest know today can do 93 petaflops (93 with 15 zeroes after it). And hackers often network computers together when making a concerted attack. If a hacker had 10 computers doing 93 petaflops, that would be 10 * 93 * 10^15, or 93x10^16. Let's round that up to 100x10^16 which is 10^18.

Now, instead of a 14 character password requiring 2 million years, the computers only need 2 years, a million times faster. A 10 character password would take only 2.8 seconds to crack.

Random words as passwords

The logic here is the same as with random passwords, except that we use words instead of characters.

There are 171,476 words in current use in the English Language dictionary, so a hacker would have to try all of those words in order to crack a password made up of just one random word from the dictionary.

Using just four words would take 14 minutes to crack with 10 computers doing 93 petaflops. And six words would take 792,811 years. Eight words would require 23x10^15 years.

Of course, we don't all know 171,476 words, apparently with about 3000 words you can understand 90% of conversations. Six words out of these 3000 would take just 12 minutes, so we don't recommend using just common words, you need to use a random word generator that is taking from the full 171 thousand words.

But we can take it one step further, in addition to using random words, you can use words, phrases, numbers, dates and other things that have some association for you (to make them easy to remember) but are unlikely to be connected with you by anyone who knows you or searches for information about you online.

For example, the name of your first crush, the date of your first kiss, the car plate number of your grand-dad's car when you were young, or maybe a place you used to visit with your nan. These are normally not found in the dictionary, and they're not usually the kinds of things you discuss with people, so they increase the complexity of any password cracking algorithm yet again.

The purpose of this is to force the attacker into using a brute-force attack. And now we're back to the number of characters in the password. And since you've used a few random words the length of the password is unknown to the hacker, so they have to try 1 character, 2, 3, 4, etc. all the way up the length of your password.

Having selected two to four words (dates, numbers, places, people, or random words), for each of your keys, they will range in length from 10 to 20 characters, each.

And knowing one key won't help in anyway, they must know both, then we're talking 20 to 40 characters (or more) that have to be brute-forced. And since you might have included dates or numbers and names, you might have upper and lower case and special characters, so they end up going back to 70 possible characters per position.

A password of 20 characters would take 2.5x10^11 years, and 40 characters would take 2x10^48 years.

So you can see that remembering four to eight "seemingly" random words is a far easier way making it almost impossible for a hacker to break your password.

Ideally five or six words that aren't associated with you Ideally you want five or six (5 or 6) words that are not connected with you, and that are not found in a regular list, like a dictionary or list of names. And if you mix in some n

We could say "as long as you can make them". But that doesn't help.

There are two types of "passwords" that are difficult to hack.

What kinds of words are easy to remember but impossible to guess?

The point is to find something that you can remember easily enough, but that someone else would not be able to find out about you, even if they knew you very well. So do not use your anniversary, even from a previous marriage (like you'd want to be reminded of that every time you log in).

The reason they need to be random, and varied, is that hackers use databases to attack passwords now, a database of names, a database of places, etc. But if you have mixed up the words so that they are random, databases will not work because they need to know all the words in the list, and if some of the words are numbers (like dates or a phone number or a license plate), the database method falls short.

Let's assume you have selected a list that is something like "Marilyn Roscamond, QS07 WDE, 2136764532, Maggie Mae Marvin, 12/12/1978". Now just split them into two parts, so that part one becomes "Marilyn Roscamond, QS07 WDE" and part two becomes "2136764532, Maggie Mae Marvin, 12/12/1978". And you have your two encryption keys. You do not need to use spaces or commas or slashes if you do not want to, and you can insert other special characters if you wish, maybe after the 1st character of each word. that is up to you. The point is that if you have selected some seemingly random words or phrases, its near impossible for a hacker to guess the words, so they are forced to use a brute-force attack.

Instead of using a set number of characters, think in terms of words. Ideally you want to have two or three unrelated words for each key.

Stay away from words like "the" or "and" but instead use real words that have no real meaning to you like "elephant" or "hoover" or "porcupine", five to ten letter words that you will easily remember, but that aren't associated with you.

Another idea is to use something that is very memorable to you, but that no-one else would know. Like the name of your first crush.

But the point is to have at least two words for each key, three is better, four might be overkill.

Two keys made up of two or three words will be sufficient to prevent even the most ardent attacks.

How do I change my keys (passwords)?

How do I recover my keys (passwords)?
Brute-Force attacks

A brute-force attack is one where the attacker is forced to test every possible combination of characters for each position in the password. For example, in a two character password, they might first check to see if "AA" works, and then "AB", and then "AC", etc. until they'd tested every possible character in the second position, and then they would test "BA", "BB", "BC", and on until they'd tested every possible character in each of the two positions.

In the case of the standard English alphabet, there are 26 lower case letters, and 26 upper case letters, plus 10 numbers, and several "special" characters, like star (*), ampersand (&), bar (|), explanation point (!), and others. Some of these special characters are not allowed on some sites, due to conflicts with programming languages. But if we take the upper and lower case letters, and the numbers, and say eight special characters, we end up with 70 possible characters in each position of the password. (26 + 26 + 10 + 8 = 70) You'll see why, in a few paragraphys, it doesn't matter much whether you have 60, 70, or 80 possible characters, so we'll just use 70 for now)

If there are 2 characters in the password, there are 70 possible combinations for the first position, and 70 for the second position, there are 4900 possible combinations (70 in the first position times 70 in the second position). If there are three positions, then this is multiplied by 70 again, and for four we multiply by 70 again. In fact the number of possible combinations is 70 to the power of the number of positions, or 70^p where p is the number of positions.

For a password of eight positions, for example, there are 70^8 possible combinations, which is 576,480,100,000,000 combinations. In order to make the maths a little easier we will convert that to a number times a power of 10, in this case we can use 576.5 x 10^12, or even 5.8x10^14.

The fastest computer known does 93 petaflops, which is 93x10^15 floating operations per second. Even though the entire decryption algorighm can not be done within one floating operation, we can use this number as the upper limit (today) of the number of tests that can be run against the password in a single second.

But in order to ensure that our numbers are good for a long time, let's assume that we round that up to 100 petaflops (100 x10^15 is 1x10^17), and then assume that the hacker can use 10 of these machines at a time (now we're at 1x10^18 tests per second). So how many floating operations would it take to test a password? that depends on the encryption algorithm. My home laptop does 83,200,000,000 8.32x10^10 flops per second. The algorithm we're running now decyphers about 1700 times per second for an invalid key, 265 times per second for the correct key. That means it takes 4.89x10^7 flops to test a password using our current algorithm. A super-computer that can do 93x10^15 flops therefore can do 1.9x10^9 tests per second.

Our 5.8x10^14 combinations (for eight positions) suddently doesn't seem that big, as it's less than one second for our "super-computer" to process all of those combinations.

If you use a name, a full name, with (in Enlish) a given, middle and surname, 1000 x 1000 x 45000, which is 4.5x10^10

A date, within a reasonable time frame in your life, of say a 5 year span (if you identify the date, there's a chance a person can determine a range), there are 1825 dates in a 5-year range.

A Car Plate, they're usually between 5 and 9 characters, although in some countries 7 or 8 is more common. Some don't include one and ell or zero and oh, but only one of each that can look like the other, and they don't use lower case, so there's 24 letters and 10 numbers, or 34 per position. 7^34 is 5.25x10^10 and 8^34 is 1.79x10^12.

So a name plus a date plus a car plate would be 4.5x10^10 times 1825 times 5.25x10^10, which is 4.5 times 1.8 times 5.25 times 10^10 times 10^3 times 10^10, or 4.525x10^24.

If the second key is also a name, date and plate, there are now 4.525x10^24 times 4.525x10^24 or 2x10^49 combinations -- and that's if the sequence is known.

We can divide by 10^18 to get 2x10^31 seconds, then divide by 3600 for hours, then by 24 for days, then by 365 for years, to get about 5x10^23 years, or we could look up the closest number on the chart below, and see that it's more than 4.1x10^21 Years and less than 7.0x10^26 Years. Clearly sufficient for our needs. And that's without capitalising or using special characters.

Let's try another, say we have a name for the first key and two random words for the second key. 4.5x10^10 times 3000 times 3000 is 4x10^17, which is between 0.2 Seconds and 0.6 Seconds, so not good enough. Let's add a plate number. 4x10^17 times 5.25x10^10 is 2x10^28 which is between 208.0 Years and 1136.2 Years, so I'd be happy with that.

This table shows the number of positions, the number of combinations, and the time required to crack the password, with 70 different characters and a super-computer capable of 1x10^18 tests per second.

Positions Combinations (60) Time Combinations (70) Time
1 60 5.4x10^-7 Seconds 70.0 6.3x10^-7 Seconds
2 3600 3.2x10^-5 Seconds 4900.0 4.4x10^-5 Seconds
3 2.2x10^5 1.9x10^-3 Seconds 3.4x10^5 3.1x10^-3 Seconds
4 1.3x10^7 0.1 Seconds 2.4x10^7 0.2 Seconds
5 7.8x10^8 6.9 Seconds 1.7x10^9 15.0 Seconds
6 4.7x10^10 6.9 Minutes 1.2x10^11 17.5 Minutes
7 2.8x10^12 6.9 Hours 8.2x10^12 20.4 Hours
8 1.7x10^14 17.4 Days 5.8x10^14 2.0 Months
9 1.0x10^16 2.9 Years 4.0x10^16 11.4 Years
10 6.0x10^17 171.2 Years 2.8x10^18 799.8 Years
11 3.6x10^19 10271.6 Years 2.0x10^20 55982.7 Years
12 2.2x10^21 6.2x10^5 Years 1.4x10^22 3.9x10^6 Years
13 1.3x10^23 3.7x10^7 Years 9.7x10^23 2.7x10^8 Years
14 7.8x10^24 2.2x10^9 Years 6.8x10^25 1.9x10^10 Years
15 4.7x10^26 1.3x10^11 Years 4.7x10^27 1.3x10^12 Years
16 2.8x10^28 8.0x10^12 Years 3.3x10^29 9.4x10^13 Years
17 1.7x10^30 4.8x10^14 Years 2.3x10^31 6.6x10^15 Years
18 1.0x10^32 2.9x10^16 Years 1.6x10^33 4.6x10^17 Years
19 6.1x10^33 1.7x10^18 Years 1.1x10^35 3.2x10^19 Years
20 3.7x10^35 1.0x10^20 Years 8.0x10^36 2.3x10^21 Years
21 2.2x10^37 6.2x10^21 Years 5.6x10^38 1.6x10^23 Years
22 1.3x10^39 3.7x10^23 Years 3.9x10^40 1.1x10^25 Years
23 7.9x10^40 2.2x10^25 Years 2.7x10^42 7.7x10^26 Years
24 4.7x10^42 1.3x10^27 Years 1.9x10^44 5.4x10^28 Years
25 2.8x10^44 8.0x10^28 Years 1.3x10^46 3.8x10^30 Years
26 1.7x10^46 4.8x10^30 Years 9.4x10^47 2.7x10^32 Years
27 1.0x10^48 2.9x10^32 Years 6.6x10^49 1.9x10^34 Years
28 6.1x10^49 1.7x10^34 Years 4.6x10^51 1.3x10^36 Years
29 3.7x10^51 1.0x10^36 Years 3.2x10^53 9.1x10^37 Years
30 2.2x10^53 6.3x10^37 Years 2.3x10^55 6.4x10^39 Years
31 1.3x10^55 3.8x10^39 Years 1.6x10^57 4.5x10^41 Years
32 8.0x10^56 2.3x10^41 Years 1.1x10^59 3.1x10^43 Years
33 4.8x10^58 1.4x10^43 Years 7.7x10^60 2.2x10^45 Years
34 2.9x10^60 8.1x10^44 Years 5.4x10^62 1.5x10^47 Years
35 1.7x10^62 4.9x10^46 Years 3.8x10^64 1.1x10^49 Years
36 1.0x10^64 2.9x10^48 Years 2.7x10^66 7.5x10^50 Years
37 6.2x10^65 1.8x10^50 Years 1.9x10^68 5.3x10^52 Years
38 3.7x10^67 1.1x10^52 Years 1.3x10^70 3.7x10^54 Years
39 2.2x10^69 6.3x10^53 Years 9.1x10^71 2.6x10^56 Years
40 1.3x10^71 3.8x10^55 Years 6.4x10^73 1.8x10^58 Years
41 8.0x10^72 2.3x10^57 Years 4.5x10^75 1.3x10^60 Years
42 4.8x10^74 1.4x10^59 Years 3.1x10^77 8.8x10^61 Years
43 2.9x10^76 8.2x10^60 Years 2.2x10^79 6.2x10^63 Years
44 1.7x10^78 4.9x10^62 Years 1.5x10^81 4.3x10^65 Years
45 1.0x10^80 2.9x10^64 Years 1.1x10^83 3.0x10^67 Years
46 6.2x10^81 1.8x10^66 Years 7.5x10^84 2.1x10^69 Years
47 3.7x10^83 1.1x10^68 Years 5.2x10^86 1.5x10^71 Years
48 2.2x10^85 6.4x10^69 Years 3.7x10^88 1.0x10^73 Years
49 1.3x10^87 3.8x10^71 Years 2.6x10^90 7.3x10^74 Years
50 8.1x10^88 2.3x10^73 Years 1.8x10^92 5.1x10^76 Years
Positions Combinations (3000) Time Combinations (171476) Time
1 3000 2.7x10^-5 Seconds 1.7x10^5 1.5x10^-3 Seconds
2 9.0x10^6 8.0x10^-2 Seconds 2.9x10^10 4.4 Minutes
3 2.7x10^10 4.0 Minutes 5.0x10^15 1.4 Years
4 8.1x10^13 8.4 Days 8.6x10^20 2.4x10^5 Years
5 2.4x10^17 68.8 Years 1.5x10^26 4.2x10^10 Years
6 7.3x10^20 2.1x10^5 Years 2.5x10^31 7.2x10^15 Years
7 2.2x10^24 6.2x10^8 Years 4.4x10^36 1.2x10^21 Years
8 6.6x10^27 1.9x10^12 Years 7.5x10^41 2.1x10^26 Years
9 2.0x10^31 5.6x10^15 Years 1.3x10^47 3.6x10^31 Years
10 5.9x10^34 1.7x10^19 Years 2.2x10^52 6.2x10^36 Years
11 1.8x10^38 5.0x10^22 Years 3.8x10^57 1.1x10^42 Years
12 5.3x10^41 1.5x10^26 Years 6.5x10^62 1.8x10^47 Years
13 1.6x10^45 4.5x10^29 Years 1.1x10^68 3.1x10^52 Years
14 4.8x10^48 1.4x10^33 Years 1.9x10^73 5.4x10^57 Years
15 1.4x10^52 4.1x10^36 Years 3.3x10^78 9.2x10^62 Years
16 4.3x10^55 1.2x10^40 Years 5.6x10^83 1.6x10^68 Years
17 1.3x10^59 3.7x10^43 Years 9.6x10^88 2.7x10^73 Years
18 3.9x10^62 1.1x10^47 Years 1.6x10^94 4.7x10^78 Years
19 1.2x10^66 3.3x10^50 Years 2.8x10^99 8.0x10^83 Years
20 3.5x10^69 9.9x10^53 Years 4.8x10^104 1.4x10^89 Years
21 1.0x10^73 3.0x10^57 Years 8.3x10^109 2.3x10^94 Years
22 3.1x10^76 8.9x10^60 Years 1.4x10^115 4.0x10^99 Years
23 9.4x10^79 2.7x10^64 Years 2.4x10^120 6.9x10^104 Years
24 2.8x10^83 8.0x10^67 Years 4.2x10^125 1.2x10^110 Years
25 8.5x10^86 2.4x10^71 Years 7.2x10^130 2.0x10^115 Years
26 2.5x10^90 7.2x10^74 Years 1.2x10^136 3.5x10^120 Years
27 7.6x10^93 2.2x10^78 Years 2.1x10^141 6.0x10^125 Years
28 2.3x10^97 6.5x10^81 Years 3.6x10^146 1.0x10^131 Years
29 6.9x10^100 1.9x10^85 Years 6.2x10^151 1.8x10^136 Years
30 2.1x10^104 5.8x10^88 Years 1.1x10^157 3.0x10^141 Years
31 6.2x10^107 1.7x10^92 Years 1.8x10^162 5.2x10^146 Years
32 1.9x10^111 5.2x10^95 Years 3.1x10^167 8.8x10^151 Years
33 5.6x10^114 1.6x10^99 Years 5.4x10^172 1.5x10^157 Years
34 1.7x10^118 4.7x10^102 Years 9.2x10^177 2.6x10^162 Years
35 5.0x10^121 1.4x10^106 Years 1.6x10^183 4.5x10^167 Years
36 1.5x10^125 4.2x10^109 Years 2.7x10^188 7.6x10^172 Years
37 4.5x10^128 1.3x10^113 Years 4.6x10^193 1.3x10^178 Years
38 1.4x10^132 3.8x10^116 Years 7.9x10^198 2.2x10^183 Years
39 4.1x10^135 1.1x10^120 Years 1.4x10^204 3.9x10^188 Years
40 1.2x10^139 3.4x10^123 Years 2.3x10^209 6.6x10^193 Years
41 3.6x10^142 1.0x10^127 Years 4.0x10^214 1.1x10^199 Years
42 1.1x10^146 3.1x10^130 Years 6.9x10^219 1.9x10^204 Years
43 3.3x10^149 9.3x10^133 Years 1.2x10^225 3.3x10^209 Years
44 9.8x10^152 2.8x10^137 Years 2.0x10^230 5.7x10^214 Years
45 3.0x10^156 8.4x10^140 Years 3.5x10^235 9.8x10^219 Years
46 8.9x10^159 2.5x10^144 Years 5.9x10^240 1.7x10^225 Years
47 2.7x10^163 7.5x10^147 Years 1.0x10^246 2.9x10^230 Years
48 8.0x10^166 2.3x10^151 Years 1.7x10^251 4.9x10^235 Years
49 2.4x10^170 6.8x10^154 Years 3.0x10^256 8.5x10^240 Years
50 7.2x10^173 2.0x10^158 Years 5.1x10^261 1.5x10^246 Years
Positions Combinations (3000) Time Combinations (12000) Time
1 3000 2.7x10^-5 Seconds 12000.0 1.1x10^-4 Seconds
2 9.0x10^6 8.0x10^-2 Seconds 1.4x10^8 1.3 Seconds
3 2.7x10^10 4.0 Minutes 1.7x10^12 4.3 Hours
4 8.1x10^13 8.4 Days 2.1x10^16 5.9 Years
5 2.4x10^17 68.8 Years 2.5x10^20 70450.1 Years
6 7.3x10^20 2.1x10^5 Years 3.0x10^24 8.5x10^8 Years
7 2.2x10^24 6.2x10^8 Years 3.6x10^28 1.0x10^13 Years
8 6.6x10^27 1.9x10^12 Years 4.3x10^32 1.2x10^17 Years
9 2.0x10^31 5.6x10^15 Years 5.2x10^36 1.5x10^21 Years
10 5.9x10^34 1.7x10^19 Years 6.2x10^40 1.8x10^25 Years
11 1.8x10^38 5.0x10^22 Years 7.4x10^44 2.1x10^29 Years
12 5.3x10^41 1.5x10^26 Years 8.9x10^48 2.5x10^33 Years
13 1.6x10^45 4.5x10^29 Years 1.1x10^53 3.0x10^37 Years
14 4.8x10^48 1.4x10^33 Years 1.3x10^57 3.6x10^41 Years
15 1.4x10^52 4.1x10^36 Years 1.5x10^61 4.4x10^45 Years
16 4.3x10^55 1.2x10^40 Years 1.8x10^65 5.2x10^49 Years
17 1.3x10^59 3.7x10^43 Years 2.2x10^69 6.3x10^53 Years
18 3.9x10^62 1.1x10^47 Years 2.7x10^73 7.5x10^57 Years
19 1.2x10^66 3.3x10^50 Years 3.2x10^77 9.0x10^61 Years
20 3.5x10^69 9.9x10^53 Years 3.8x10^81 1.1x10^66 Years
21 1.0x10^73 3.0x10^57 Years 4.6x10^85 1.3x10^70 Years
22 3.1x10^76 8.9x10^60 Years 5.5x10^89 1.6x10^74 Years
23 9.4x10^79 2.7x10^64 Years 6.6x10^93 1.9x10^78 Years
24 2.8x10^83 8.0x10^67 Years 7.9x10^97 2.3x10^82 Years
25 8.5x10^86 2.4x10^71 Years 9.5x10^101 2.7x10^86 Years
26 2.5x10^90 7.2x10^74 Years 1.1x10^106 3.2x10^90 Years
27 7.6x10^93 2.2x10^78 Years 1.4x10^110 3.9x10^94 Years
28 2.3x10^97 6.5x10^81 Years 1.6x10^114 4.7x10^98 Years
29 6.9x10^100 1.9x10^85 Years 2.0x10^118 5.6x10^102 Years
30 2.1x10^104 5.8x10^88 Years 2.4x10^122 6.7x10^106 Years
31 6.2x10^107 1.7x10^92 Years 2.8x10^126 8.1x10^110 Years
32 1.9x10^111 5.2x10^95 Years 3.4x10^130 9.7x10^114 Years
33 5.6x10^114 1.6x10^99 Years 4.1x10^134 1.2x10^119 Years
34 1.7x10^118 4.7x10^102 Years 4.9x10^138 1.4x10^123 Years
35 5.0x10^121 1.4x10^106 Years 5.9x10^142 1.7x10^127 Years
36 1.5x10^125 4.2x10^109 Years 7.1x10^146 2.0x10^131 Years
37 4.5x10^128 1.3x10^113 Years 8.5x10^150 2.4x10^135 Years
38 1.4x10^132 3.8x10^116 Years 1.0x10^155 2.9x10^139 Years
39 4.1x10^135 1.1x10^120 Years 1.2x10^159 3.5x10^143 Years
40 1.2x10^139 3.4x10^123 Years 1.5x10^163 4.2x10^147 Years
41 3.6x10^142 1.0x10^127 Years 1.8x10^167 5.0x10^151 Years
42 1.1x10^146 3.1x10^130 Years 2.1x10^171 6.0x10^155 Years
43 3.3x10^149 9.3x10^133 Years 2.5x10^175 7.2x10^159 Years
44 9.8x10^152 2.8x10^137 Years 3.0x10^179 8.6x10^163 Years
45 3.0x10^156 8.4x10^140 Years 3.7x10^183 1.0x10^168 Years
46 8.9x10^159 2.5x10^144 Years 4.4x10^187 1.2x10^172 Years
47 2.7x10^163 7.5x10^147 Years 5.3x10^191 1.5x10^176 Years
48 8.0x10^166 2.3x10^151 Years 6.3x10^195 1.8x10^180 Years
49 2.4x10^170 6.8x10^154 Years 7.6x10^199 2.1x10^184 Years
50 7.2x10^173 2.0x10^158 Years 9.1x10^203 2.6x10^188 Years
Positions Combinations (34) Time Combinations (60) Time
1 34 3.0x10^-7 Seconds 60.0 5.4x10^-7 Seconds
2 1156 1.0x10^-5 Seconds 3600.0 3.2x10^-5 Seconds
3 39304 3.5x10^-4 Seconds 2.2x10^5 1.9x10^-3 Seconds
4 1.3x10^6 1.2x10^-2 Seconds 1.3x10^7 0.1 Seconds
5 4.5x10^7 0.4 Seconds 7.8x10^8 6.9 Seconds
6 1.5x10^9 13.8 Seconds 4.7x10^10 6.9 Minutes
7 5.3x10^10 7.8 Minutes 2.8x10^12 6.9 Hours
8 1.8x10^12 4.4 Hours 1.7x10^14 17.4 Days
9 6.1x10^13 6.3 Days 1.0x10^16 2.9 Years
10 2.1x10^15 7.1 Months 6.0x10^17 171.2 Years
11 7.0x10^16 19.9 Years 3.6x10^19 10271.6 Years
12 2.4x10^18 675.7 Years 2.2x10^21 6.2x10^5 Years
13 8.1x10^19 22972.1 Years 1.3x10^23 3.7x10^7 Years
14 2.8x10^21 7.8x10^5 Years 7.8x10^24 2.2x10^9 Years
15 9.4x10^22 2.7x10^7 Years 4.7x10^26 1.3x10^11 Years
16 3.2x10^24 9.0x10^8 Years 2.8x10^28 8.0x10^12 Years
17 1.1x10^26 3.1x10^10 Years 1.7x10^30 4.8x10^14 Years
18 3.7x10^27 1.0x10^12 Years 1.0x10^32 2.9x10^16 Years
19 1.3x10^29 3.5x10^13 Years 6.1x10^33 1.7x10^18 Years
20 4.3x10^30 1.2x10^15 Years 3.7x10^35 1.0x10^20 Years
21 1.4x10^32 4.1x10^16 Years 2.2x10^37 6.2x10^21 Years
22 4.9x10^33 1.4x10^18 Years 1.3x10^39 3.7x10^23 Years
23 1.7x10^35 4.7x10^19 Years 7.9x10^40 2.2x10^25 Years
24 5.7x10^36 1.6x10^21 Years 4.7x10^42 1.3x10^27 Years
25 1.9x10^38 5.5x10^22 Years 2.8x10^44 8.0x10^28 Years
26 6.6x10^39 1.9x10^24 Years 1.7x10^46 4.8x10^30 Years
27 2.2x10^41 6.3x10^25 Years 1.0x10^48 2.9x10^32 Years
28 7.6x10^42 2.2x10^27 Years 6.1x10^49 1.7x10^34 Years
29 2.6x10^44 7.3x10^28 Years 3.7x10^51 1.0x10^36 Years
30 8.8x10^45 2.5x10^30 Years 2.2x10^53 6.3x10^37 Years
31 3.0x10^47 8.5x10^31 Years 1.3x10^55 3.8x10^39 Years
32 1.0x10^49 2.9x10^33 Years 8.0x10^56 2.3x10^41 Years
33 3.5x10^50 9.8x10^34 Years 4.8x10^58 1.4x10^43 Years
34 1.2x10^52 3.3x10^36 Years 2.9x10^60 8.1x10^44 Years
35 4.0x10^53 1.1x10^38 Years 1.7x10^62 4.9x10^46 Years
36 1.4x10^55 3.8x10^39 Years 1.0x10^64 2.9x10^48 Years
37 4.6x10^56 1.3x10^41 Years 6.2x10^65 1.8x10^50 Years
38 1.6x10^58 4.4x10^42 Years 3.7x10^67 1.1x10^52 Years
39 5.3x10^59 1.5x10^44 Years 2.2x10^69 6.3x10^53 Years
40 1.8x10^61 5.1x10^45 Years 1.3x10^71 3.8x10^55 Years
41 6.2x10^62 1.7x10^47 Years 8.0x10^72 2.3x10^57 Years
42 2.1x10^64 5.9x10^48 Years 4.8x10^74 1.4x10^59 Years
43 7.1x10^65 2.0x10^50 Years 2.9x10^76 8.2x10^60 Years
44 2.4x10^67 6.9x10^51 Years 1.7x10^78 4.9x10^62 Years
45 8.3x10^68 2.3x10^53 Years 1.0x10^80 2.9x10^64 Years
46 2.8x10^70 7.9x10^54 Years 6.2x10^81 1.8x10^66 Years
47 9.5x10^71 2.7x10^56 Years 3.7x10^83 1.1x10^68 Years
48 3.2x10^73 9.2x10^57 Years 2.2x10^85 6.4x10^69 Years
49 1.1x10^75 3.1x10^59 Years 1.3x10^87 3.8x10^71 Years
50 3.7x10^76 1.1x10^61 Years 8.1x10^88 2.3x10^73 Years
Positions Combinations (36) Time Combinations (62) Time
1 36 3.2x10^-7 Seconds 62.0 5.5x10^-7 Seconds
2 1296 1.2x10^-5 Seconds 3844.0 3.4x10^-5 Seconds
3 46656 4.2x10^-4 Seconds 2.4x10^5 2.1x10^-3 Seconds
4 1.7x10^6 1.5x10^-2 Seconds 1.5x10^7 0.1 Seconds
5 6.0x10^7 0.5 Seconds 9.2x10^8 8.2 Seconds
6 2.2x10^9 19.4 Seconds 5.7x10^10 8.5 Minutes
7 7.8x10^10 11.7 Minutes 3.5x10^12 8.7 Hours
8 2.8x10^12 7.0 Hours 2.2x10^14 22.6 Days
9 1.0x10^14 10.5 Days 1.4x10^16 3.8 Years
10 3.7x10^15 1.0 Years 8.4x10^17 237.6 Years
11 1.3x10^17 37.3 Years 5.2x10^19 14732.8 Years
12 4.7x10^18 1341.5 Years 3.2x10^21 9.1x10^5 Years
13 1.7x10^20 48295.6 Years 2.0x10^23 5.7x10^7 Years
14 6.1x10^21 1.7x10^6 Years 1.2x10^25 3.5x10^9 Years
15 2.2x10^23 6.3x10^7 Years 7.7x10^26 2.2x10^11 Years
16 8.0x10^24 2.3x10^9 Years 4.8x10^28 1.3x10^13 Years
17 2.9x10^26 8.1x10^10 Years 3.0x10^30 8.4x10^14 Years
18 1.0x10^28 2.9x10^12 Years 1.8x10^32 5.2x10^16 Years
19 3.7x10^29 1.1x10^14 Years 1.1x10^34 3.2x10^18 Years
20 1.3x10^31 3.8x10^15 Years 7.0x10^35 2.0x10^20 Years
21 4.8x10^32 1.4x10^17 Years 4.4x10^37 1.2x10^22 Years
22 1.7x10^34 4.9x10^18 Years 2.7x10^39 7.7x10^23 Years
23 6.2x10^35 1.8x10^20 Years 1.7x10^41 4.8x10^25 Years
24 2.2x10^37 6.4x10^21 Years 1.0x10^43 2.9x10^27 Years
25 8.1x10^38 2.3x10^23 Years 6.5x10^44 1.8x10^29 Years
26 2.9x10^40 8.2x10^24 Years 4.0x10^46 1.1x10^31 Years
27 1.0x10^42 3.0x10^26 Years 2.5x10^48 7.0x10^32 Years
28 3.8x10^43 1.1x10^28 Years 1.5x10^50 4.4x10^34 Years
29 1.4x10^45 3.8x10^29 Years 9.5x10^51 2.7x10^36 Years
30 4.9x10^46 1.4x10^31 Years 5.9x10^53 1.7x10^38 Years
31 1.8x10^48 5.0x10^32 Years 3.7x10^55 1.0x10^40 Years
32 6.3x10^49 1.8x10^34 Years 2.3x10^57 6.4x10^41 Years
33 2.3x10^51 6.5x10^35 Years 1.4x10^59 4.0x10^43 Years
34 8.2x10^52 2.3x10^37 Years 8.7x10^60 2.5x10^45 Years
35 3.0x10^54 8.4x10^38 Years 5.4x10^62 1.5x10^47 Years
36 1.1x10^56 3.0x10^40 Years 3.4x10^64 9.5x10^48 Years
37 3.8x10^57 1.1x10^42 Years 2.1x10^66 5.9x10^50 Years
38 1.4x10^59 3.9x10^43 Years 1.3x10^68 3.7x10^52 Years
39 5.0x10^60 1.4x10^45 Years 8.0x10^69 2.3x10^54 Years
40 1.8x10^62 5.1x10^46 Years 5.0x10^71 1.4x10^56 Years
41 6.4x10^63 1.8x10^48 Years 3.1x10^73 8.7x10^57 Years
42 2.3x10^65 6.6x10^49 Years 1.9x10^75 5.4x10^59 Years
43 8.3x10^66 2.4x10^51 Years 1.2x10^77 3.3x10^61 Years
44 3.0x10^68 8.5x10^52 Years 7.3x10^78 2.1x10^63 Years
45 1.1x10^70 3.1x10^54 Years 4.5x10^80 1.3x10^65 Years
46 3.9x10^71 1.1x10^56 Years 2.8x10^82 8.0x10^66 Years
47 1.4x10^73 4.0x10^57 Years 1.7x10^84 4.9x10^68 Years
48 5.0x10^74 1.4x10^59 Years 1.1x10^86 3.1x10^70 Years
49 1.8x10^76 5.1x10^60 Years 6.7x10^87 1.9x10^72 Years
50 6.5x10^77 1.8x10^62 Years 4.2x10^89 1.2x10^74 Years
Positions Combinations (62) Time Combinations (72) Time
1 62 5.5x10^-7 Seconds 72.0 6.4x10^-7 Seconds
2 3844 3.4x10^-5 Seconds 5184.0 4.6x10^-5 Seconds
3 2.4x10^5 2.1x10^-3 Seconds 3.7x10^5 3.3x10^-3 Seconds
4 1.5x10^7 0.1 Seconds 2.7x10^7 0.2 Seconds
5 9.2x10^8 8.2 Seconds 1.9x10^9 17.3 Seconds
6 5.7x10^10 8.5 Minutes 1.4x10^11 20.7 Minutes
7 3.5x10^12 8.7 Hours 1.0x10^13 1.0 Days
8 2.2x10^14 22.6 Days 7.2x10^14 2.5 Months
9 1.4x10^16 3.8 Years 5.2x10^16 14.7 Years
10 8.4x10^17 237.6 Years 3.7x10^18 1060.0 Years
11 5.2x10^19 14732.8 Years 2.7x10^20 76319.0 Years
12 3.2x10^21 9.1x10^5 Years 1.9x10^22 5.5x10^6 Years
13 2.0x10^23 5.7x10^7 Years 1.4x10^24 4.0x10^8 Years
14 1.2x10^25 3.5x10^9 Years 1.0x10^26 2.8x10^10 Years
15 7.7x10^26 2.2x10^11 Years 7.2x10^27 2.1x10^12 Years
16 4.8x10^28 1.3x10^13 Years 5.2x10^29 1.5x10^14 Years
17 3.0x10^30 8.4x10^14 Years 3.8x10^31 1.1x10^16 Years
18 1.8x10^32 5.2x10^16 Years 2.7x10^33 7.7x10^17 Years
19 1.1x10^34 3.2x10^18 Years 1.9x10^35 5.5x10^19 Years
20 7.0x10^35 2.0x10^20 Years 1.4x10^37 4.0x10^21 Years
21 4.4x10^37 1.2x10^22 Years 1.0x10^39 2.9x10^23 Years
22 2.7x10^39 7.7x10^23 Years 7.3x10^40 2.1x10^25 Years
23 1.7x10^41 4.8x10^25 Years 5.2x10^42 1.5x10^27 Years
24 1.0x10^43 2.9x10^27 Years 3.8x10^44 1.1x10^29 Years
25 6.5x10^44 1.8x10^29 Years 2.7x10^46 7.7x10^30 Years
26 4.0x10^46 1.1x10^31 Years 2.0x10^48 5.5x10^32 Years
27 2.5x10^48 7.0x10^32 Years 1.4x10^50 4.0x10^34 Years
28 1.5x10^50 4.4x10^34 Years 1.0x10^52 2.9x10^36 Years
29 9.5x10^51 2.7x10^36 Years 7.3x10^53 2.1x10^38 Years
30 5.9x10^53 1.7x10^38 Years 5.2x10^55 1.5x10^40 Years
31 3.7x10^55 1.0x10^40 Years 3.8x10^57 1.1x10^42 Years
32 2.3x10^57 6.4x10^41 Years 2.7x10^59 7.7x10^43 Years
33 1.4x10^59 4.0x10^43 Years 2.0x10^61 5.5x10^45 Years
34 8.7x10^60 2.5x10^45 Years 1.4x10^63 4.0x10^47 Years
35 5.4x10^62 1.5x10^47 Years 1.0x10^65 2.9x10^49 Years
36 3.4x10^64 9.5x10^48 Years 7.3x10^66 2.1x10^51 Years
37 2.1x10^66 5.9x10^50 Years 5.3x10^68 1.5x10^53 Years
38 1.3x10^68 3.7x10^52 Years 3.8x10^70 1.1x10^55 Years
39 8.0x10^69 2.3x10^54 Years 2.7x10^72 7.7x10^56 Years
40 5.0x10^71 1.4x10^56 Years 2.0x10^74 5.6x10^58 Years
41 3.1x10^73 8.7x10^57 Years 1.4x10^76 4.0x10^60 Years
42 1.9x10^75 5.4x10^59 Years 1.0x10^78 2.9x10^62 Years
43 1.2x10^77 3.3x10^61 Years 7.3x10^79 2.1x10^64 Years
44 7.3x10^78 2.1x10^63 Years 5.3x10^81 1.5x10^66 Years
45 4.5x10^80 1.3x10^65 Years 3.8x10^83 1.1x10^68 Years
46 2.8x10^82 8.0x10^66 Years 2.7x10^85 7.7x10^69 Years
47 1.7x10^84 4.9x10^68 Years 2.0x10^87 5.6x10^71 Years
48 1.1x10^86 3.1x10^70 Years 1.4x10^89 4.0x10^73 Years
49 6.7x10^87 1.9x10^72 Years 1.0x10^91 2.9x10^75 Years
50 4.2x10^89 1.2x10^74 Years 7.4x10^92 2.1x10^77 Years
So let's make our password a bit longer. Say 10 positions, which is 2.8x10^18 combinations, which means it would take 2.8 seconds to crack this password. How about 12 positions? 1.4x10^22 combinations, just under 4 hours. How about 14 positions?

Brute-Force attacks


How Many Combinations of Passwords Can Be Made From A Specific Character Set?

The answer is the number of characters in the set raised to the power of the length of the password.

To explain why, lets start with two characters in the set of characters available to use (A and B). For a password of length one, we can have only two possible passwords (A or B). And for a password of length two, we can have two possible characters in each position, (AA, AB, BA, or BB). Looking at the list, we can see that we have twice as many as we had before. This is because we now have A or B in the second position for each occurance of A or B in the first position. If we add one more to the length, we will have all of the previous possible combinations twice, once with A in front of them, and once with B in front of them (AAA, AAB, ABA, ABB, and BAA, BAB, BBA, BBB). And clearly, if we add one more character, then we'd have twice that again.

Another way to write that, instead of saying twice, is to say times two, so we had two when the length was one, and we have two times two (2x2) for a length of two, and the next one would be two times two times two (2x2x2), and the password of length four can have two times two times two times two (2x2x2x2) combinations. Another way to write 2x2x2x2 is 2^4, pronounced 2 raised to the power of 4, or two to the fourth power, or just two to the fourth.

Does this work for three characters? For a lenth of one, there are three possibilities (A, B or C). For a length two, each of those three will have three possible combinations, so 3x3. A password that is one character longer will have three possible combinations for each of the previous combinations, or in this case 3x3x3. And the next length (four) will have 3x3x3x3. So, again, we can write that as 3^4 or the number of characters raised to the power of the length of the password. This works for any number of characters, and any length of password.

If there are 62 characters in the character set then the number of possible password combinations is 62^length, 62 to the power of the length of the password. A four character password can have 62^4, or 62x62x62x62 possible combinations.

There are 62 Alphanumeric Characters in the Engligh Language

In English, for a single position in a password, there are 26 alphabetical characters, a to z. Plus the same characters can be upper case, A to Z. Plus the numbers from 0 to 9.

26 plus 26 plus 10 is 62. So a password that can have upper case letters, lower case letters, or numbers, can have 62 different characters in each position within the password.

Any password with this character set will have 62^length possible combinations.

There are About Ten Special Characters That Can Be Used in Passwords

Special characters are those that are not in the normal English alphanumeric character set (a-z, A-Z, 0-9). They include exclamation mark (!), quote ("), dollar ($), percent (%), caret (^), ampersand (&), star (*), parentheses ( and ), underscore (_), minus (-), plus (+), equals (=), brackets [ and ], braces { and }, colon (:), semi-colon (;), at sign (@), single quote ('), tilde (~), hash (#), less than (<), greater than (>), comma (,), period (.), question mark (?), slash (/), back slash (\), and bar (|). At least, that's what's on my keyboard as I type this.

Why then have I said that there are about 10 special characters that can be used in passwords, in stead of the 32 that I've listed? From experience I've found that some sites will not accept some characters. I think this is because they interfere with the programming languages that they use to present their site. The dollar sign ($) for example, is used in some languages to mean "this is a variable", the same with the braces { and }, and even the explanation mark (!) on occasion. Additionally since some keyboards don't have some special characters, they might not have been included by the developer, depending on how it was set up. Quotes and single quotes can also make things difficult for different programming languages. Commas and periods can sometimes do wierd things to form inputs as well. As can the less than (<) and greater than (>) signs. The slash (/) and backslash (\) also has meaning to some languages. I've even had a site reject the at sign (@) for who knows what reason.

So if we just use those that are known to be accepted, the caret (^), star (*), underscore (_), minus (-), plus (+), colon (:), semi-colon (;), bar (|) and question mark (?), there are only 9 special characters that are "clean" to use in form input fields without needing special programming to deal with them. And I would add the at sign (@) as well, except that I've had it rejected before.

To be fair, the only one that I know will be accepted under all circumstances when a site requires a special character is the underscore (_).

At any rate, the rest of this paper should prove using special characters is not the answer to making passwords hard to break, so it matters not how many are accepted by what sites.

How Many Tests Per Second Can Be Performed?

Node performance in GFlops = (CPU speed in GHz) x (number of CPU cores) x (CPU instruction per cycle) x (number of CPUs per node)

Using linux, the command: cat /proc/cpuinfo
Shows that my laptop there are 4 CPUs, each with 2 cores, running at 2.6 GHz.
I haven't found how many instructions per cycle are performed by my specific CPU, but it looks like most Intel processors of a similar age and speed to 8 instructions per cycle

2.6 GHz x 2 cores x 8 IPC x 4 CPUs = 166 GFlops

Dividing 166 GFlops by 1200 results in 138.3 MFlops per test

200 petaflops, or 200x10^15 Flops divided by 138.3 MFlops 138.3x10^6 is 1.45x10^9 tests per second

My home laptop has 4 processors, each with 2 cores, running at 2.6 Ghz

According to wikipedia, my laptop, an Intel Core i5 7300U, does 53,840 MIPS, that's 53,840,000,000 Instructions Per Second. According to my own tests, my computer deciphers a reasonable sample at about 500 per second. If the key is invalid however, it can return "invalid" about 1200 times per second. If I divide 53,840,000,000 by 1200 I get 44866667 instructions per test.

Google says that The Verge says (as of 3 April 2019) the fastest computer in the world does "200 petaflops, or 200,000 trillion calculations per second"

Passwords With Special Characters Versus Without

The following table shows the number of combinations and the time required to decypher a password using the 62 alphanumeric characters in the English alphabet versus having an additional 10 special characters. The time columns are based on 1.9x10^9 tests per second.

Its evident in the table that there is less to be gained from using special characters than making the password one character longer. Why then do sites require you to use special characters? Why not just make the password longer?

I believe it's because they are storing the password in a table in their database, and have only alloted a certain size for that password. But that's neither here nor there for this paper. More importanly is to know that using special characters makes the password harder to remember, but does not make it harder to decypher.

Making the password longer makes it harder to decipher.

Positions Combinations (62) Time Combinations (72) Time
1 62 3.3x10^-8 Seconds 72.0 3.8x10^-8 Seconds
2 3844 2.0x10^-6 Seconds 5184.0 2.7x10^-6 Seconds
3 2.4x10^5 1.3x10^-4 Seconds 3.7x10^5 2.0x10^-4 Seconds
4 1.5x10^7 7.8x10^-3 Seconds 2.7x10^7 1.4x10^-2 Seconds
5 9.2x10^8 0.5 Seconds 1.9x10^9 1.0 Seconds
6 5.7x10^10 29.9 Seconds 1.4x10^11 1.2 Minutes
7 3.5x10^12 30.9 Minutes 1.0x10^13 1.5 Hours
8 2.2x10^14 1.3 Days 7.2x10^14 4.4 Days
9 1.4x10^16 2.7 Months 5.2x10^16 10.6 Months
10 8.4x10^17 14.0 Years 3.7x10^18 62.5 Years
11 5.2x10^19 868.5 Years 2.7x10^20 4498.8 Years
12 3.2x10^21 53844.3 Years 1.9x10^22 3.2x10^5 Years
13 2.0x10^23 3.3x10^6 Years 1.4x10^24 2.3x10^7 Years
14 1.2x10^25 2.1x10^8 Years 1.0x10^26 1.7x10^9 Years
15 7.7x10^26 1.3x10^10 Years 7.2x10^27 1.2x10^11 Years
16 4.8x10^28 8.0x10^11 Years 5.2x10^29 8.7x10^12 Years
17 3.0x10^30 4.9x10^13 Years 3.8x10^31 6.3x10^14 Years
18 1.8x10^32 3.1x10^15 Years 2.7x10^33 4.5x10^16 Years
19 1.1x10^34 1.9x10^17 Years 1.9x10^35 3.2x10^18 Years
20 7.0x10^35 1.2x10^19 Years 1.4x10^37 2.3x10^20 Years
21 4.4x10^37 7.3x10^20 Years 1.0x10^39 1.7x10^22 Years
22 2.7x10^39 4.5x10^22 Years 7.3x10^40 1.2x10^24 Years
23 1.7x10^41 2.8x10^24 Years 5.2x10^42 8.7x10^25 Years
24 1.0x10^43 1.7x10^26 Years 3.8x10^44 6.3x10^27 Years
25 6.5x10^44 1.1x10^28 Years 2.7x10^46 4.5x10^29 Years
26 4.0x10^46 6.7x10^29 Years 2.0x10^48 3.3x10^31 Years
27 2.5x10^48 4.1x10^31 Years 1.4x10^50 2.3x10^33 Years
28 1.5x10^50 2.6x10^33 Years 1.0x10^52 1.7x10^35 Years
29 9.5x10^51 1.6x10^35 Years 7.3x10^53 1.2x10^37 Years
30 5.9x10^53 9.9x10^36 Years 5.2x10^55 8.8x10^38 Years
Passwords With Special Characters Versus Without

Passwords With Special Characters Versus Without

Passwords With Special Characters Versus Without

Passwords With Special Characters Versus Without

Passwords With Special Characters Versus Without

Home Log In Articles The Safe FAQ User Guide Challenge Phishing SSL Test Privacy Policy Advertising Cookies ©copyright 1997-2021 Log In Register