Size Does Matter

There was an interesting article today in the Register about brute force password cracking using Amazon’s EC2 cloud architecture. The main focus was on how much it would cost to crack passwords of different lengths and complexity. One of the conclusions which is almost counter instinctive is that a long lower case only password is much harder to crack than a shorter complex one consisting of lower and upper case characters as well as numbers. I did my own calculations to verify the findings and came up with the same results.

Take for example an 8 character complex password containing upper case and lower case characters, numbers and also a choice of 20 non standard characters such as % . When considering brute force cracking, the 8 character complex password is easier to break than a 9 character one containing upper and lower case characters and also easier than an 11 character password containing only lower case characters.

Hence, next time that nasty Systems Administrator tells you that your password should resemble something like x%fF*Z3$ you can tell them that this is less secure than a password like HelloFred or even mycarisblue. Note that at various times in my working career, I have been one of those administrators so I know where they are coming from.

No doubt the Systems Admin would respond that in reality a brute force attack would not be random in the words and phrases it attempts and subsequently would crack a long non-complex password quicker than a short complex one. This is probably true when length diferences are small but difficult to quantify accurately. Coming back to the real world, nearly nobody can remember a password such as x%fF*Z3$ but it’s not so hard to recall a semi abstract phrase such as MyDogisfrenchThanksforthefish. This non complex password is approximately 2.8 x e³⁴ more difficult to crack than the complex one when considering only a brute force approach. Even when factoring in dictionary approaches it’s probably still a lot safer as well as being easier to recall. Hence when next choosing a password, remember, size really does matter.