Lowercase-only passwords are convenient for phones since we dont hit shift or go to characters page(each which is as much effort as hitting a character in my Android devices). But how long would a lowercase-only password have to be to match a 10-character all-chars password?
Asked
Active
Viewed 734 times
0
-
I know this question has been constrained to lowercase-only, but it's effectively the same question none-the-less. – Xander Jun 11 '14 at 13:33
2 Answers
1
There is a table at http://en.wikipedia.org/wiki/Password_strength comparing the various mixtures and their strength. Don't forget that the characters should be chosen at random! If not you enter the domain of passphrases. There is an interesting graph at http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/ comparing the entropy of passphrases and passwords. And in the text it addresses also light variations of pass phrases. Again the words of a passphrase should be chosen at random for these calculations and graphs to be valid.
To answer the question: But how long would a lowercase-only password have to be to match a 10-character all-chars password: according to that the wiki table the answer is 14. If you want to do the math:= lower case: 26^14= 6.4E+19 is about equal to all 96: 96^10=6.6E+19
Dick99999
- 525
- 5
- 8
0
A password's security, assuming it is randomly chosen, is as secure as the keyspace (ie, the number of possible values it could have). From probability, you determine the number of combinations by multiplying the number of possible options for each character.
If you have a 6 character password with both upper and lower case, you have 52 possibilities per character. 52 to the 6th power is 19770609664 possibilities. It takes between 7 and 8 characters to get the same number of possibilities with only 26 choices per character. I arrived at that simply by dividing the total by 26 until I got to a number less than 1.
You can use the same technique to figure out the number of possibilities for any type of password.
The one caveat to this is that in reality, people tend to not use randomly chosen passwords, which greatly reduces the number of options. They are more likely to add some randomness if capitalization and symbol substitution is available (and required). This limits the effectiveness of both a lower case only as well as a full character set, so you get less than you would expect in both cases, but sadly, it's more a best guess as to how difficult the password actually is to guess rather than something easily mathematically determined at that point.
The basic concept behind guessing is still the same though, you want to approximate the number of passwords they might use with lowercase only and look at how long they would have to be in order to be similar to the number of passwords they are likely to make with more characters available or required.
AJ Henderson
- 41,816
- 5
- 63
- 110