The Linux Page

Password Security

I suppose we could talk about security all day and only barely touch the tip of the iceberg, if even more than a spec of it.

Yet, I wanted to mention that in many instances, there are such limits to the characters you can use in a password that already the provider prevents you from creating a string password in the first place!

So... what is it I'm talking about?

I have one company I work with that does not support anything more than letters and digits. Not only that, they limit your password between 6 and 10 characters. Everyone knows that 6 characters is cracked very very quickly and 10 is really not that many when only characters and digits can be used.

A little math for the savvy:

26 characters x 2 (lower and upper case) + 10 digits is 62 possibilities.

Up to 10 characters, that's 62 power 10

That's 839,299,365,868,340,224(a) possibilities (nearly 840 exa-possibilities)

Now, if you allow all the characters you can type on a keyboard, that makes it more like 223 characters (in Latin 1 and most other languages). Let's say just 200 characters (note that in Japanese & Chinese you have more like 2,000+, but you need to enter a complete sentence to be safe.)

Now, we do the same math and we have:

200 characters (including lower & upper case and digits)

Unlimited number of characters, for a short sentence, let's say about 50, that's 200 power 50

That's 1.12x10115(a). or 6.7 times more digits and that's by limiting the sentence length...

I bumped today in another example where those characters are not accepted: ? -'":\$&><~;`’

It is better, but unfortunately, once you remove the easy to use characters, that's harder to come up with a good sentence. Oh! Sorry... the limit in length is 14 characters anyway...

Pass phrase is what everyone should be using everywhere. Much safer and much less likely to be hacked!


(a) It is important to note that this includes all the forbidden passwords such as "aaaaaaaaaa" (which are probably not even being tested by hackers!)