Why are alphabetic passwords weaker?

I’m not a total idiot about passwords. I never use the same password for more than one use. And I avoid the obvious stuff like password, qwerty, 123456, or my dog’s name.

But I was just creating a password for a site and it insisted that a password with all letters was “weaker” than a password with a combination of letters and numbers. And it wasn’t an issue of length - an eight-letter password got “stronger” if you substituted a number for one of the letters.

Why is this so? If you’re going to have a string of eight characters, aren’t twenty-six letters a more difficult thing to crack than ten digits? It would seem like letters should be more secure than numbers.

And it’s not just a case of the pool of letters and numbers being bigger than the pool of just letters. This site required you to include a number in your password so we’re back to the pool of just ten possibilities. Rather than making your password stronger, it seems like it’s requiring your password to have a weak spot.

The person trying to guess your password doesn’t know which character(s) are digits and which are letters. If they know the site’s policy requires at least one number, then then have to guess a-z and 0-9 at each and every position in your password. So, 36^n possibilities with letters and numbers, compared with 26^n for letters only, where n is your password length. More still if it’s case sensitive and includes other characters.

Also, it means they can’t use a simple dictionary.

There are long and interesting discussions about the value of password rules. Not all of them make sense, and many are obsolete. As tellyworth notes, the inclusion of a number prevents a simple dictionary attack from cracking passwords that are dictionary words. The problem is that password cracking with a dictionary is more sophisticated than that now, and simple things like appending a couple of digits gets added to the attack attempts. They will also add various capitalisation variations, reversal of letters, and the usual 1337 speak substitutions. Thus the obsolescence of the rule. Indeed it is suggested that essentially any string that has ever appeared on the Internet can be harvested to be used in a dictionary attack, plus the usual variations.

But all this is true if they know that the site merely permits both letters and numbers. It doesn’t become more true if the site positively requires them.

This is true if the attacker is trying to guess your password, but the way most passwords are cracked is that an attacker will steal a password file with thousands of passwords and crack the easiest ones, without really caring who they belong to. The point of forcing a user to include numbers or special characters is that it elevates the difficulty of those “easiest ones.” The guy who uses “butterfly” as a password might be forced to use the slightly less awful “butterfly69,” which will necessitate a dictionary a few orders of magnitude larger than if the attacker were just trying to find the few "butterfly"s in a file of 10,000 passwords.

Too much emphasis is put on numbers and special characters versus length, though. Enforcing 24+ character passwords without any of the l33t speak bullshit would be much more secure, and people could have passwords they might actually remember, like “thisisreallyquitealongpassword.”

If you assume they’re attacking one specific user’s account, correct. For the site as a whole though, overall security is improved by requiring non-alpha characters. Otherwise you’ll have, say, 80% of accounts crackable within the smaller alpha-only password space.

The site administrators want to mitigate an offline attack where the bad guys are able to guess a large number possible passwords against every account on the site. They’ll typically use a dictionary of common passwords for that. Any policy that increases the average complexity of users’ passwords will make that attack slower and less successful.

I am surprised that many sites do not allow characters other than alphanumerics in a password. Stick the odd asterisk or curly bracket in and you add several more layers of complexity for the crackers.

I for one am happy that so many people use ‘easy’ passwords. By the time the crooks get round to the harder ones like mine, I hope that the owners of the site will have found out what’s going on and secured it.

I note that pundits in the press have stopped telling us not to write them down. Better to write them somewhere and use hard ones, than to use easy-to-remember ones.

My other pet peeve, is that websites don’t let us see what we are typing when we enter a password. That should be the default certainly, but those of us who are generally alone at our computers should be able to switch it off.

I get frustrated at work when you have to change your password every 6 months and it gets hard to keep track of the change.

The site would also have complained if your password contained only digits!

There are 100 million 8-sequences of digits, 208 billion sequences of lower-case letters, but 218 trillion sequences composed of digits, lower-case and upper-case letters.

Even that’s not enough for one message board. While trying to register at one message-board where I didn’t even care if I got hacked, the registration software gradually informed me: You need one or more special characters … You need one or more digits … you need one or more upper-case letters. Why in Og’s name couldn’t it tell me the requirements in advance, rather than dribbling them out one-by-one as one attempted passwords were rejected? :smack:

Yahoo now has such a “Show” option. Another way I used to use is to type the password in, say, Noterpad; then copy-and-paste it to the password box.

Finally, in Chrome (don’t know about other browsers) there is a simple hack to show the password. As you’re about to type the password

(1) right-click on the password box and select Inspect Element.
(2) Find the “type=password” and double-click it.
(3) type “text”, changing the password box text-type from password to text.
(4) Press enter after “text”, click the upper-right box in the developor’s window to delete it.
(5) Enter your password normally; it now displays!

And “thisisreallyquitealongpassword” will still get cracked just as easily. Passwords like “correcthorsebatterystaple” (ones like that, not that one in particular) work because they contain a lot of randomness. There’s no particular relationship between “correct” and “horse”, nor between “horse” and “battery”, and so on. Even if you guess one word, that’ll provide you no insight for guessing the next one, which could be absolutely anything. In an English sentence, though, there are relationships between the words. Just for starters, if you just have “thisisreallyquitealong…”, it’s easy to guess that the last word is going to be “password”, so your password is no more secure than the shorter “thisisreallyquitealong”. Now consider that “is” is a very likely word to follow “this”, and that “really” and “quite” are very often used together, and so on.

Is that how password crackers work? I mean, a random 22 character string of words that the computer will then go, “oh, since we’re testing this combination of random characters of a random length, and it just so happens to be six words of an uncompleted sentence, let’s try to fill in the missing word”?

Not that I doubt the sophistication and tenacity of computers, but as a layperson I find that level of, er, algorithmic smarts to be highly unlikely.

The page that demands to be linked in all such discussions.

I have a question. If a password accepts symbols (like * or #) and you used an alternate keyboard to generate symbols, you can use letters from the Greek alphabet. A dozen letters in the Greek alphabet look like Roman standard letters, like A, E, H, M, N , P, T, X. So if I used AEHMNPTX as my password, but pasted it out of a Greek keyboard rendition, nobody would be able to enter my password, even if they saw it and knew it – right? So the question is, does the English letter A and the Greek letter Alpha constitute an identical pair of interchangeable keystrokes, or does a computer distinguish them as being different keystrokes, even though they look the same in most fonts?

That kind of algorithmic smarts (i.e. I am typing a sentence, guess the word I am about to type, up to a few options) is actually pretty common. Of course, outside of movies, a password cracker gets no feedback about whether their partial guess is correct, but even on a pure search, the search space of “random six words” is lot bigger than the search space of “random six words that form a sensible English sentence”, to the extent that searching the former is impractical while searching the latter is quite reasonable.

jtur88, back in the day when Extended ASCII was the pinnacle of character representation, letters in other languages that looked the same were represented by the same character. Nowadays, that has gone the way of the dodo and of mechanical typewriters that used a lower-case l in place of the digit 1. In Unicode, ever letter in every alphabet is a different character, represented by a different code in the computer, no matter what they look like.

This caused a completely different security problem a few years ago. Computer-savvy people have been warning users for ages to look at what a link’s URL is before clicking on it. But some unethical folks realized that they could register domain names using different alphabets, or a mixture of alphabets, which look just like the name of a reputable company. Once the problem was recognized, the makers of web browsers changed the way that URLs are displayed to make these more obvious (I think it’s based on including visible flags to mark any alphabet other than the user’s native one), but someone running old software could still be hit by it.

I’ll admit encryption is not one of my strong points, but I’m not familiar with the attack vector you’re describing wherein an attacker can figure out partial passwords and get feedback that the partial password is correct during the process. Like **leacham **says, if a dictionary attack used a dictionary containing only valid english sentences, that would indeed be an easier attack than if valid sentences weren’t allowed (which I’ve seen, and hoo boy are those annoying). In that sense, I see your point. I’m only saying that password strength indicators often don’t give additional points for length, whereas as soon as you throw a number in there they’ll shoot from “weak” to “moderate.” As a shorthand for users, I suppose that’s OK, but there’s no reason that catfish79 is a substantially better password than catfishwd, and both are much worse than catfishfishcatcatfish.

eta: That is to say, a long combination of fish and cats is difficult to brute force, and a dictionary that contains enough combinations of english words to include catfishfishcatcatfish is going to be rather large. How large, and how difficult it is to compile a dictionary of that size to leverage in an attack, I really don’t know.

All of this brings to mind the Blonde Joke about the office girl who made a password mickeyminnieplutogoofyhueydeweylouiesacramento, because she was told to use 8 characters and one capital.

Short of finding a piece of paper that’s been cut off, there’s no case where the cracker knows that part of the password is “thisisreallyquitealong”. Security software is unlikely to send back “hotter” and “colder” signals as hackers try different passwords, after all. Until you get a perfect match for the whole password, the software just tells you, “No”.

And heuristics on word pairings are only useful if you know that most users use full sentences. If some users use random nouns, others write sentences, yet others write in l33t, and so on, optimizing your technique is unlikely to be all that useful.

It’s useful for reducing the search space, which I think is what Chronos is getting at. If you’re going to guess “thisisreallyquitealong”, you might as well follow it with “password” and a few other likely words. It’s not worth following it with “x7a6oyeu” and the other several trillion possibilities.