3

So all my life I've been listening to people tell me to make my password complex: upper case / lower case / numeric / symbols. Recently though I've been reading / seeing that length above all seems to make for more secure passwords. Now I understand that some password strength checkers can be bogus or not very accurate so I'm hoping someone can shed some light on whether or not length is more secure than complexity and why. Here's the password I'm testing:

this password is supposed to be weak and easy to crack but its strong

  • All Lower Case
  • Dictionary Words
  • 69 Characters Long

I've ran this 'password' through 3 password strength checkers:

Each of these websites says that my password is very strong. I realize this makes a password hard to brute force but what I don't understand is how this make it secure from things like dictionary attacks since it's all lower case and all dictionary words. Is it accounting for the human factor?

Obligatory XKCD Comic

Anders
  • 65,052
  • 24
  • 180
  • 218
Howdy_McGee
  • 240
  • 2
  • 9

1 Answers1

5

Simply because exponential growth is much faster than polynomial growth.

For a password which has a fixed length n, where the number of characters in your character set (x) is variable will give you a complexity of xn.

This is a polynomial function, and grows accordingly as x is increased.

On the other hand, fixing the character set to n and keeping the number of characters x variable gives you exponential growth nx. This increases much faster as x is increases. (Compare the derivateves for reasonable values of x and n if you wish)

Basically, for reasonable values of x and n, increasing x is much more effective in increasing complexity in the second case.

enter image description here

This is why the strength checkers say that it is secure.


However, using dictionary words does open it wide for dictionary attacks, which can be less secure. Try to use a few random strings in there as well.

Manishearth
  • 8,257
  • 5
  • 35
  • 56
  • @Howdy_McGee: Well, yeah. 2^x represents exponential growth (which is generalized to n^x) – Manishearth Apr 28 '13 at 21:31
  • 1
    If the attacker knows that a password is composed only of correctly spelled lower case English words, then you don't have to attack character by character. You attack word by word. – Zoredache Apr 29 '13 at 04:00
  • @Zoredache: I know, that's why the last line is there. – Manishearth Apr 29 '13 at 04:16
  • @Zoredache In such a case, you can think of the dictionary of possible words as the "character set" and the number of words as the "number of characters". Provided you use enough words (something like 4-8 words depending on your threat model) that can still be a really good approach. (Yes, I know your comment is _really_ old, just adding some additional info). – Ajedi32 Mar 07 '19 at 17:20