Can I safely generate the longest password possible?

336    Asked by Amitraj in Cyber Security , Asked on Mar 25, 2022

Is choosing the maximum-authorised password length a safe strategy? My reasoning is that — assuming the maximum-authorised password length is long enough (say ≥24 characters), so that high-entropy passwords can still be generated if their length is smaller than the max — choosing a password of length m is much more limiting than choosing a password among those of length m, or m-1, or …, or 25, or 24.

Answered by Amit Sinha

Besides dictionary attacks or other possible techniques (like timing attacks, etc.), an attacker might try brute forcing all the combinations (if possible), or just try some combinations at random to guess your longest password (until they give up because it's not worth continuing). Suppose you have a 24-char alphanumeric password (allowed characters: a-zA-Z0-9), for example 4LZB7NFjpFW6sjtuIaBel9hZ.

If the attacker knows the length of your password, the possible combinations to try will be 62^24 = 1.04 * 10^43, which is about 143 bits of entropy.
If the attacker does not know the length of your password, the possible combinations will be 62 + 62^2 + ... + 62^23 + 62^24, which is a geometric progression and the result should be ((62^25 -1) / (62 - 1)) - 1 = 1.06 *10^43, still about 143 bits of entropy.
If you make the password 1 character shorter and the attacker knows this length, the possible combinations to try will be 62^23 = 1.7*10^41, which is about 137 bits of entropy.

As you can see, even if the attacker knows the exact length of your password, the advantage they might get is negligible. Also, if your password is already very strong, adding or removing one character won't have a significant impact on your security either (anything above 128 bits of entropy is still considered to be uncrackable, even with an enormous amount of computation power).



Your Answer

Interviews

Parent Categories