I thought the strength of a password depended on the total number of possible combinations. Therefore, allowing longer passwords should be safer because you then have more possibilities. But why do some systems set a minimum number? Doesn't this simply reduce the number of possible combinations?
Asked
Active
Viewed 1,122 times
4 Answers
20
Doesn't this simply reduce the number of possible combinations?
yes, but not significantly.
As an analogy, consider passwords that are combinations of uppercase letters A-Z only, with max length of 8. Total # of possibilities = 268 + 267 + ... + 26 + 1 = 217.2 billion. If you restrict this to a minimum length of 6, that eliminates passwords of length 5 or less, which have a total # of possibilities of 265 + 264 + ... + 26 + 1 = 12.4 million, a tiny fraction of the larger password space.
Jason S
- 394
- 1
- 8
13
Even if you allow 128-byte passwords, most people will choose something 10 chars or less. Some even will choose something as short as 1-3 chars. Hackers know this and brute-force those possibilities first. Indeed, in most brute-force hacking programs, they naturally come up first as they start with shortest possibilities and build to longer ones. Therefore, a minimum.
To your point, it does minimize the total possibilities, but not by much, as the LSB's don't amount to much compared to the MSB's.
2
I would say it reduces the amount of easy-to-crack passwords in the system.
1
No, because the longer the password, the more time it takes to crack. By setting a minimum length the designer is forcing the user to make a longer password.
Drazisil
- 119
- 4