How Guessable Is Your Password?
Go on … admit it … if you are forced to have a number in your password … you put it at the end? If you put an uppercase letter in your password … you put it at the start? Well you might not, but most people do, which means a hash cracker can target a limited range of character sets for their cracking.
If you select a password with six characters and only use lowercase letters then we have 26⁶ passwords (308,915,776), but if we use alphanumeric characters then we have 36⁶ passwords (21,767,82,336). The cracking will then be seven times more difficult. Now if we go for upper and lowercase characters and numeric values, we now have 62 characters, so we have 62⁶ passwords (56,800,235,584) which is now 184 times more difficult [try here]:
So we’ve just published some analysis of the strength of passwords here.
In the paper we look at patterns and vulnerabilities based on Shannon entropy, Guessing entropy and Minimum entropy, and analyse from passwords from Rockyou and 163.com dataset. Our conclusions define improved passwords for good usability, deployability, rememberbility, and secure entropies.
