7

Many people wil often brag about the length of their password, like "yeah nobody is ever going to crack my password cause its 22 characters long." I was thinking, if you knew the exact length of their password, you could essentially lower the space and calculations necessary to brute force their password. My question is, does anyone know by how much does it reduce?

If I KNOW that a password is 22 characters in length, obviously you are not going to try any potential password that is not 22 characters in length.

tl;dr How much faster is it to crack a password if you know the exact char length?

user488244
  • 171
  • 1
  • 2

3 Answers3

11

If we assume that there are 128 possible characters in a password (2^7), then there are 2^154 possible 22 character passwords.

There are 2^147 + 2^140 + ... shorter passwords, which is pretty much the same as 2^147. So you have to do 1/128th less work if you know it's 22 characters and so don't have to try all the 1-21 character passwords first -- less than 1% less work, and not really significant.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35
  • Your answer is generally correct. (cracking slightly shorter passwords truly takes less time than cracking the full length) However, most people do not use 128 possible characters in their password. Primarily this is because the standard US keyboard supports only 95 characters. (62 letters/numbers, 33 other characters) – 700 Software Jul 19 '16 at 12:12
2

See ophcrack rainbow tables. This will give you a good idea of how save passwords are for particular length and how set of used character make it more secure.

You can think: the bigger rainbow table must be to crack the passwords, the safer the password is.

Note, that making a password even one character longer makes it much longer to crack, so checking checking only n-long passwords compared to checking 1-long, 2-long, ... n-1-long, n-long does not really make much difference.

See Password_strength article.

So, to summarize - no, knowing the password length will not really help you crack the password.

Michał Šrajer
  • 4,154
  • 4
  • 18
  • 21
0

The only time it could be relevant is for cracking a password that is very secure. Mike Scott's math is accurate, so lets presume that 22 character password is going to take 100 years to crack. If we don't know it's length then we'll waste 9 months attempting passwords that are too short. Then at a random point in the remaining 92 years the password will be cracked.

There is a small chance that we try the correct password very early in that period of time so there is a chance that if we'd known the length we would have guessed the right password in the first year, or the first week, etc.

Knowing the length of the password doesn't affect the average time to crack the password much, but it has a small chance of affecting the time a large amount. That should be weighted against the knowledge that some users will not bother to attempt to crack it if they know it is too hard to crack.

LovesTha
  • 101
  • 1