Luke Sheppard's blog about information security, web development, and hacking 

Home Blog Password key space complexity versus password length

Password key space complexity versus password length

An illustration from the FIPS publication 181: Automated Password Generator (APG). Interestingly, one of the goals of the APG was to provide a “method for producing pronounceable passwords that have no association with a particular user”.

It is weird to think that a 7 character all lowercase password is better than a 5 character alphanumeric with punctuation:

95^5 = 7,737,809,375
26^7 = 8,031,810,176

The seven character lowercase password has slightly more (294,000,801) characters.
But if you increase each type of password by one more character, the lowercase password has about 3 and half times fewer characters.

95^6 = 735,091,890,625
26^8 = 208,827,064,576

I wonder if they go back and forth like that as you add more characters to your passwords. I wonder if the hash cracking times are correspondent to this.

Let’s see…If you only use 11 characters:


and just make your password be a phone number:


It beats all of the above, with a total of 3,138,428,376,721 possible combinations, or 11^12.
It would be really cool to compare the hash cracking times of these kinds of things. I wonder if the limited character set would make the cracking time faster. Freaky.

Er…that phone number actually makes it 9^12, or 282,429,536,481, since it is missing the 5 and 8 characters. But if you add parentheses and a space, you get 12^14 the greatest password of all:

(213) 407-9366

Easy to remember, and it has over 1.2 quadrillion possible combinations: 1,283,918,464,548,860 …until you have to change your phone number. :)

 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn