5

If a password is +30 characters long but contains words from the dictionary, is it less secure than a 10-character password that is !@#$#%$^%$, for example?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Sup Go
  • 59
  • 1
  • 2
  • 1
    Does this answer your question? [Which is faster - brute-forcing, or using a dictionary attack that contains all possible permutations?](https://security.stackexchange.com/questions/152986/which-is-faster-brute-forcing-or-using-a-dictionary-attack-that-contains-all) –  Aug 21 '20 at 08:31
  • What do you mean by “contains words from the dictionary”?  “to-be-or-not-to-be,that-is-the-question”?  “righteous-equine-generator-paper-clip”?  “dad!&halt@^squander)$bridged%#situated”? “dAd!&haLt@^sQuaNder)$bRidGed%#siTuaTed”? – Scott - Слава Україні Aug 22 '20 at 19:46
  • @Sup Go: Please tell us more dettails details what exactly you meant by password that "contains words from the dictionary" and what exactly you meant by "10-character password". Have you meant *any* characters* Have you meant that 10-character password consists of 5 different characters only? – mentallurg Aug 23 '20 at 20:12

2 Answers2

20

Length is certainly a factor, but you've hit on an underlying fact that most people miss: even a 30 char password is weak if it is guessable.

The concept that is important is "entropy". It's not just length or even the types of characters used, but how the password is chosen. The randomness, the character types used, and the length all contribute to password strength.

But if everyone uses the password: Look at me!! I'm a really long password!! (that's 41 characters), then it's not really strong, is it?

You've asked about brute-forcing, and there are different types. Trying every password length, character by character starting from abcd... is a sure way to eventually get the password, but it might take billions of years. But that's not the only type.

Dictionaries are used, common patterns are tried, known passwords are checked.

So, yes, if a 30-char password with dictionary words is used, and those words are randomly chosen, then that's a strong password.

!@#$#%$^%$ will be guessed relatively quickly because that's a common keyboard pattern.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/112202/discussion-on-answer-by-schroeder-does-brute-force-time-depend-on-the-length-of). – Rory Alsop Aug 24 '20 at 12:49
-3

It depends.

Suppose 10-character password uses 64 different characters. How many combinations are needed for brute-forcing? 64^10 = 2^60 ~= 10^18.

How many words are in the dictionary that you are going to use? Normally dictionary for such cases contains not every possible word in a language, but only some words, that are easier to remember and easier to spell correctly. Suppose such dictionary contains 2000 words. Suppose each password consists of 5 dictionary words.

How many combinations are needed for brute-forcing? 2000^5 ~= 3x10^16. Means such 30-character password will require ~30 times less time to brute-force compared to 10-character password.

If you take other dictionary, let say containing 8000 words, the number of passwords to test for brute-forcing will be 8000^5 ~= 3x10^19. Now it is vise versa, 30-character password will require ~30 times more time to brute-force compared to 10-character password.

As you see, it depends. A 30-character can be easier to brute-force as well as it can be harder to brute-force compared to 10-character password.

mentallurg
  • 10,256
  • 5
  • 28
  • 44
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/112162/discussion-between-mentallurg-and-tim). – mentallurg Aug 23 '20 at 20:13