0

My friend and I were talking about how fast computers could potentially brute force a password these days. I came up with the idea of using letters from a foreign alphabet to use in your password, though I figured that it could be limited if the website couldn't hand those characters. Then he suggested using alt codes instead, and I was wondering how much more secure would this make your password?

Would you be better off using the numbers instead of the alt code just to increase your password length?

Monkey
  • 45
  • 1
  • 4

2 Answers2

1

I've seen variations on this question come up a few times, it can be basically summed up as "If I do {uncommon thing} with my password will it make it stronger?" whether that is adding alt codes, using non-ascii characters, typing it twice, whatever.

The assumption generally seems to be that if you do something password crackers are not expecting it will increase it's strength. Which sounds reasonable on the face of it, but it's the wrong way of looking at password strength. What you should be looking at is the amount of entropy in your password (that is, how large is the pool of possible passwords from which that one was selected?), rather than how that entropy is displayed.

For example if you used dd if=/dev/random count=18 bs=1 2>/dev/null | base64 that would get 144 random bits of information, and output it as base64 it would be displayed as 24 characters, but if you used dd if=/dev/random count=18 bs=1 2>/dev/null | xxd -p thats going to output the 144 bit as hex, so it will be displayed as 36 characters. But they are both the same strength.

So to answer your question: No, using alt codes does not in and of itself increase strength. To increase strength you need more entropy (a larger pool of possible passwords). But it dose reduce the number of characters you need to store that entropy. So if you were using a service that limited you to 16 character passwords (Hi Microsoft Live) it could be useful.

This is the short version of a longer rant I did that a few weeks ago.

Hybrid
  • 4,198
  • 2
  • 21
  • 23
1

First: There is no such thing as alt codes to use in a password. The alt codes are just a way provided by Microsoft Windows to enter characters not on your keyboard. You can only use them, if this characters are supported on the website you want to use. If they don't support Unicode, it probably won't work or worse: If they ever change the charset of the website there is a great chance that your password entered using alt codes will not work!

The general formula for possible passwords is [possible characters]^[length] (where ^ means to the power of).

So it is easy to see that just adding another random character is way better for the strength than using one obscure possible character more. While it might protect you from some naive cracking approaches using limited char sets, it also is a great inconvenience.

Assume you have to enter your password on OS X, Linux, Windows and Android. If you have some obscure things in your password, you just can't.

Josef
  • 5,933
  • 26
  • 34