How Are Password Strengths Calculated?

— written by Francis on Jan. 18, 2025, 8:16 p.m.

We've all had this experience. You put in a password and suddenly, the site says, "Password must contain capital letters", or my personal favorite, "Your password is too short." It's a nuisance we must deal with more frequently than we'd like. But what if I told you you should be grateful for those annoying little reminders? Let's dive deeper and understand the key factors in determining password strength.

Key Factors That Determine Password Strength

1. Length
   The longer the password, the harder it is to crack. Each additional character increases the possible combinations, making it exponentially more difficult for hackers to guess. For those who prefer numerical demonstrations over the use of mathematical terms, this is what this means: Doubling the password from accepting 3 numbers to 6 numbers won't make it twice as strong but 8 times stronger, so 2³.

2. Character Variety
   Strong passwords include a mix of:

   • Uppercase and lowercase letters
   • Numbers
   • Special characters (e.g., @, #, $)

   A variety of characters creates a much larger "character set," which increases the number of possible combinations.

3. Predictability
   Avoid using common words, dates, or sequences like "123456" or "password". Random, unpredictable combinations are far stronger.

How Password Strength is Calculated

Password strength can be estimated using brute force calculations. A brute force attack tries every possible combination until the correct one is found. The number of guesses required is determined by the password’s length and character variety.

For example:

• A 4-digit numeric password has 10,000 possible combinations (0000 to 9999).
• A 15-character password using uppercase letters, numbers, and special characters has 94¹⁵ possible combinations, which is approximately 2.5 x 10²⁹ combinations.

Time to Crack Passwords

• 4-Digit Numeric Password
  • If an attacker uses a computer that can make 1 million guesses per second, it would take:
  • 10,000 combinations / 1 million guesses per second = 0.01 seconds to crack.
• 15-Character Complex Password

• • For a password that includes uppercase letters, numbers, and special characters (94 characters), and assuming the same 1 million guesses per second, it would take:
  • 94¹⁵ combinations ≈ 2.5 x 10²⁹
  • At 1 million guesses per second, it would take 7,922,191,160,000,000,000,000 years to crack.
  • Assuming it's a supercomputer calculating it at 1 billion tries per second, it will still take 7,922,191,160,000 years. That's still a lot of numbers.
  • Conclusion

The strength of a password is crucial for securing your accounts. A simple 4-digit PIN is vulnerable to brute force in a fraction of a second, while a complex 15-character password is nearly impossible to crack in any reasonable time frame. To keep your accounts safe, always use long, complex, and unique passwords, and enable multi-factor authentication wherever possible.

Like, Comment, Share